Successful exploitation of this remotely exploitable vulnerability, discovered by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group, may prevent the FTP client from connecting to the FTP server on MELSEC-Q Series and MELSEC-L Series CPU module. Only FTP server function is affected by this vulnerability.
The following versions of MELSEC-Q Series and MELSEC-L Series CPU modules suffer from the issue:
• MELSEC-Q Series
Q03/04/06/13/26UDVCPU: serial number 21081 and prior
Q04/06/13/26UDPVCPU: serial number 21081 and prior
Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior
• MELSEC-L Series
L02/06/26CPU, L26CPU-BT: serial number 21101 and prior
L02/06/26CPU-P, L26CPU-PBT: serial number 21101 and prior
L02/06/26CPU-CM, L26CPU-BT-CM: serial number 21101 and prior
In the vulnerability, a remote attacker can cause the FTP service to enter a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server on the above CPU modules.
CVE-2019-13555 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the critical manufacturing sector, which sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Mitsubishi Electric created a new version of the firmware. Additional information about this vulnerability or Mitsubishi Electric’s compensating control is available by contacting a local Mitsubishi Electric representative.
Mitsubishi Electric recommends users should operate the affected device behind a firewall.