Severity

High

Analysis Summary

CVE-2021-20609

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2021-20610

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

CVE-2021-20611

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.

Impact

• Denial of Service

Affected Vendors

• Mitsubishi Electric

Affected Products

• MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware: Versions 57 and prior
• MELSEC iQ-R Series R08/16/32/120SFCPU: All versions
• MELSEC iQ-R Series R08/16/32/120PCPU Firmware: Versions 29 and prior
• MELSEC iQ-R Series R08/16/32/120PSFCPU: All versions
• MELSEC iQ-R Series R16/32/64MTCPU: All versions
• MELSEC iQ-R Series R12CCPU-V: All versions
• MELSEC Q Series Q03UDECPU Q04/06/10/13/20/26/50/100UDEHCPU: All versions
• MELSEC Q Series Q03/04/06/13/26UDVCPU: The first 5 digits of serial No. 23071 and prior
• MELSEC Q Series Q04/06/13/26UDPVCPU: The first 5 digits of serial No. 23071 and prior
• MELSEC Q Series Q12DCCPU-V Q24DHCCPU-V(G) Q24/26DHCCPU-LS: All versions
• MELSEC Q Series MR-MQ100: All versions
• MELSEC Q Series Q172/173DCPU-S1 Q172/172DSCPU: All versions
• MELSEC L Series L02/06/26CPU(-P) L26CPU-(P)BT: All versions
• MELIPC Series MI5122-VW: All versions
• MELSEC iQ-R Series R00/01/02CPU Firmware: Versions 24 and prior
• MELSEC Q Series Q170MCPU Q170MSCPU(-S1): All versions

Remediation

Refer to CISA Advisory for the patch, upgrade, or suggested workaround information.