Mitsubishi Electric has new firmware to handle a resource exhaustion vulnerability in its MELSEC-Q series PLCs, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group, could allow a remote attacker to send specially crafted packets to the device, causing Ethernet communication to stop.
The following MELSEC-Q series PLCs suffer from the issue:
• Q03/04/06/13/26UDVCPU: serial number 20081 and prior
• Q04/06/13/26UDPVCPU: serial number 20081 and prior
• Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: Serial number 20101 and prior
In the vulnerability, a remote attacker can send specific bytes over Port 5007 that will result in an Ethernet stack crash.
CVE-2019-6535 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the critical manufacturing sector, however, it does see action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Japan-based Mitsubishi Electric has produced a new version of the firmware. Additional information about this vulnerability or Mitsubishi electric’s compensating control is available by contacting a local Mitsubishi Electric representative.
Mitsubishi Electric recommends users should operate the affected device behind a firewall.