Rewterz Threat Advisory – ICS: Mitsubishi Electric MELSEC and MELIPC Series Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-20609 CVSS:7.5
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2021-20610 CVSS:7.5
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

CVE-2021-20611 CVSS:7.5
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.

Impact

Denial of Service

Indicators Of Compromise

CVE

• CVE-2021-20609
• CVE-2021-20610
• CVE-2021-20611

Affected Vendors

Mitsubishi Electric

Affected Products

• Mitsubishi Electric MELSEC iQ-R Series R00/01/02CPU firmware 24,
• Mitsubishi Electric MELSEC iQ-R Series R04/08/16/32/120(EN)CPU firmware 57,
• Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120SFCPU,
• Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware 29,
• Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PSFCPU,
• Mitsubishi Electric MELSEC iQ-R Series R16/32/64MTCPU,
• Mitsubishi Electric MELSEC iQ-R Series R12CCPU-V,
• Mitsubishi Electric MELSEC Q Series Q03UDECPU- Q04/06/10/13/20/26/50/100UDEHCPU,
• Mitsubishi Electric MELSEC Q Series Q03/04/06/13/26UDVCPU The first 5 digits of serial No. 23071

Remediation

Refer to CISA-CERT Advisory for the patch, upgrade, or suggested workaround information.

CISA-CERT Advisory