Description:

Mitsubishi Electric has released security updates to address a vulnerability in the following products:

• MELSEC iQ-R Series
  • R 00/01/02 CPU, firmware Versions 20 and earlier
  • R 04/08/16/32/120 (EN) CPU, firmware Versions 52 and earlier
  • R 08/16/32/120 SFCPU, firmware Versions 22 and earlier
  • R 08/16/32/120 PCPU, all versions
  • R 08/16/32/120 PSFCPU, all versions
  • R 16/32/64 MTCPU, all versions
• MELSEC Q Series
  • Q03 UDECPU, Q 04/06/10/13/20/26/50/100 UDEHCPU, serial number 22081 and earlier
  • Q 03/04/06/13/26 UDVCPU, serial number 22031 and earlier
  • Q 04/06/13/26 UDPVCPU, serial number 22031 and earlier
  • Q 172/173 DCPU-S1, all versions
  • Q 172/173 DSCPU, all versions
  • Q 170 MCPU(-S1), all versions
  • Q 170 MSCPU（-S1）, all versions
  • MR-MQ100, all versions
• MELSEC L Series
  • L 02/06/26 CPU (-P), L 26 CPU - (P) BT, all versions
• MELSEC iQ-R Series
  • EtherNet/IP Network Interface Module, RJ71EIP91: First 2 digits of serial number are 02 or before.
  • PROFINET IO Controller Module, RJ71PN92: First 2 digits of serial number are 01 or before
  • High Speed Data Logger Module, RD81DL96: First 2 digits of serial number are 08 or before
  • MES Interface Module, RD81MES96N: First 2 digits of serial number are 04 or before
  • OPC UA Server Module, RD81OPC96: First 2 digits of serial number are 04 or before

Threats:

An attacker could exploit these vulnerabilities by doing the following:

• Denial of service attack (DoS)
• Code Injection
• Obtain information
• Execute arbitrary code

Best practice and Recommendations:

The CERT team encourages users to review Mitsubishi Electric security advisory and apply the necessary updates:

• https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf