Mitsubishi Electric released new firmware to mitigate an uncontrolled resource consumption vulnerability in its MELSEC-Q series Ethernet module, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Younes Dragoni and Alessandro Di Pinto of Nozomi Networks, may render the device unresponsive, requiring a physical reset of the PLC (Programmable Logic Controller).
MELSEC-Q series Ethernet module QJ71E71-100 serial number 20121 and prior suffers from the remotely exploitable vulnerability.
In the vulnerability, an attacker could send crafted TCP packets against the FTP service, forcing the target devices to enter an error mode and cause a denial-of-service condition.
CVE-2019-10977 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the critical manufacturing sector. It sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Japan-based Mitsubishi Electric released new firmware Version 20122 for the QJ71E71-100 Ethernet module to mitigate the reported vulnerability.
Additional information about the vulnerabilities or Mitsubishi Electric’s compensating control is available by contacting a local Mitsubishi Electric representative.
Mitsubishi Electric recommends users should operate the affected device behind a firewall.