Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B)

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R, Q, and L Series CPU Module, as well as the MELIPC Series
• Vulnerability: Improper Resource Locking

2. UPDATE INFORMATION

This updated advisory is a follow-up to the advisory titled ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update A) that was published August 16, 2022 to the ICS webpage on cisa.gov/ics.

3. RISK EVALUATION

Successful exploitation of this vulnerability could result in a denial-of-service condition for Ethernet communication. A system restart would be required to restore functionality.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following products are affected: 

• MELSEC CPU models 
  • iQ-R Series 
    • R12CCPU-V: Firmware Version 16 and prior
  • Q Series 
    • Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: Versions with the first 5 digits of serial No. 24061 and prior
    • Q03/04/06/13/26UDVCPU: Versions with the first 5 digits of serial No. 24051 and prior
    • Q04/06/13/26UDPVCPU: Versions with the first 5 digits of serial No. 24051 and prior
      
      
      
      --------- Begin Update B part 1 of 2 --------- 
    • Q12DCCPU-V, Q24DHCCPU-V(G), Q24/26DHCCPU-LS: Versions with the first 5 digits of serial No. 25061 and prior
      
      
      
      --------- Begin Update B part 1 of 2 --------- 
  • L Series 
    • L02/06/26CPU(-P), L26CPU-(P)BT: Versions with the first 5 digits of serial No. 24051 and prior
• MELIPC Series 
  • MI5122-VW: Firmware Version 05 and prior 

4.2 VULNERABILITY OVERVIEW

4.2.1    IMPROPER RESOURCE LOCKING CWE-413

The affected product is vulnerable to improper resource locking caused when an attacker sends a specially crafted packet to the target system. The system must be fully reset to recover.

CVE-2022-24946 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

4.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

5. MITIGATIONS

Mitsubishi has fixed the vulnerability in the following products: 

• MELSEC CPU models 
  • iQ-R Series 
    • R12CCPU-V: Firmware Version 17 or later 
  • Q Series 
    • Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: Versions with the first 5 digits of serial No. 24062 or later
    • Q03/04/06/13/26UDVCPU: Versions with the first 5 digits of serial No. 24052 or later
    • Q04/06/13/26UDPVCPU: Versions with the first 5 digits of serial No. 24052 or later
      
      
      
      --------- Begin Update B part 2 of 2 ---------
    • Q12DCCPU-V, Q24DHCCPU-V(G), Q24/26DHCCPU-LS: Versions with the first 5 digits of serial No. 25062 or later
      
      
      
      --------- End Update B part 2 of 2 ---------
  • L Series
    • L02/06/26CPU(-P), L26CPU-(P)BT: Versions with the first 5 digits of serial No. 24052 or later
• MELIPC Series 
  • MI5122-VW: Firmware Version 06 or later

Mitsubishi Electric reports that additional fixes for more hardware versions are coming in the near future. Mitsubishi’s recommendations for mitigating the risk of this vulnerability match those of CISA. 

For additional information, such as how to check device or firmware versions, see the Mitsubishi Electric security advisory. 

Please contact Mitsubishi Electric customer support for more information on how to update specific hardware. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target this vulnerability.