Mitsubishi Electric MELSEC iQ-R Series Uncontrolled Resource Consumption (CVE-2020-5666)

high Tenable OT Security Plugin ID 500495

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series CPU Modules (R00/01/02CPU Firmware versions from '05' to '19' and R04/08/16/32/120(EN)CPU Firmware versions from '35' to '51') allows a remote attacker to cause an error in a CPU unit via a specially crafted HTTP packet, which may lead to a denial-of-service (DoS) condition in execution of the program and its communication.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Mitsubishi Electric has issued the following firmware versions to address this issue:

- R00/01/02CPU firmware Versions 20 or later
- R04/08/16/32/120(EN)CPU firmware Versions 52 or later

Mitsubishi Electric also recommends the following practices:

- If the web server function is not needed, change the setting for "To Use or Not to Use Web Server” to “Not Use.”
- Use a firewall or virtual private network (VPN), etc., to prevent unauthorized access when Internet access is required.
- Use within a trusted LAN and block access from untrusted networks and hosts through firewall.

For more information about this vulnerability and the associated mitigations, please see the vulnerability information on the Mitsubishi website.

See Also

https://jvn.jp/jp/JVN44764844/index.html

https://jvn.jp/en/jp/JVN44764844/index.html

http://www.nessus.org/u?be987ec8

https://us-cert.cisa.gov/ics/advisories/icsa-20-317-01

Plugin Details

Severity: High

ID: 500495

Version: 1.9

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2020-5666

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:mitsubishielectric:melsec_iq-r16_firmware, cpe:/o:mitsubishielectric:melsec_iq-r120_firmware, cpe:/o:mitsubishielectric:melsec_iq-r04_firmware, cpe:/o:mitsubishielectric:melsec_iq-r08_firmware, cpe:/o:mitsubishielectric:melsec_iq-r32_firmware, cpe:/o:mitsubishielectric:melsec_iq-r01_firmware, cpe:/o:mitsubishielectric:melsec_iq-r02_firmware, cpe:/o:mitsubishielectric:melsec_iq-r00_firmware

Required KB Items: Tenable.ot/Mitsubishi

Exploit Ease: No known exploits are available

Patch Publication Date: 11/16/2020

Vulnerability Publication Date: 11/16/2020

Reference Information

CVE: CVE-2020-5666

CWE: 400

ICSA: 20-317-01