Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update E)

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R, iQ-L Series and MELIPC Series
• Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in the module's ethernet communication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports this vulnerability affects the following MELSEC iQ-R, iQ-L series CPU module, and MELIPC series:

• MELSEC iQ-R Series R00CPU: firmware versions 32 and prior
• MELSEC iQ-R Series R01CPU: firmware versions 32 and prior
• MELSEC iQ-R Series R02CPU: firmware versions 32 and prior
• MELSEC iQ-R Series R04(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R08(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R16(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R32(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R120(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R08SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R16SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R32SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R120SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R08PSFCPU: firmware versions 08 and prior
• MELSEC iQ-R Series R16PSFCPU: firmware versions 08 and prior
• MELSEC iQ-R Series R32PSFCPU: firmware versions 08 and prior
• MELSEC iQ-R Series R120PSFCPU: firmware versions 08 and prior
• MELSEC iQ-R Series R12CCPU-V: firmware versions 17 and prior
• MELSEC iQ-L Series L04HCPU (sold in limited regions): firmware versions 05 and prior
• MELSEC iQ-L Series L08HCPU (sold in limited regions): firmware versions 05 and prior
• MELSEC iQ-L Series L16HCPU (sold in limited regions): firmware versions 05 and prior
• MELSEC iQ-L Series L32HCPU (sold in limited regions): firmware versions 05 and prior
• MELIPC Series MI5122-VW: firmware versions 07 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

A denial-of-service vulnerability due to improper resource shutdown or release exists in Mitsubishi Electric MELSEC iQ-R, iQ-L series CPU module, and MELIPC series. This vulnerability could allow a remote attacker to cause a denial-of-service condition in the module's ethernet communication by sending specially crafted packets.

CVE-2022-33324 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric fixed the following products:

• MELSEC iQ-R Series R00CPU: firmware versions 33 or later
• MELSEC iQ-R Series R01CPU: firmware versions 33 or later
• MELSEC iQ-R Series R02CPU: firmware versions 33 or later
• MELSEC iQ-R Series R04(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R08(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R16(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R32(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R120(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R08SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R16SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R32SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R120SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R08PSFCPU: firmware versions 09 or later
• MELSEC iQ-R Series R16PSFCPU: firmware versions 09 or later
• MELSEC iQ-R Series R32PSFCPU: firmware versions 09 or later
• MELSEC iQ-R Series R120PSFCPU: firmware versions 09 or later
• MELSEC iQ-R Series R12CCPU-V: firmware versions 18 or later
• MELSEC iQ-L Series L04HCPU: firmware versions 06 or later
• MELSEC iQ-L Series L08HCPU: firmware versions 06 or later
• MELSEC iQ-L Series L16HCPU: firmware versions 06 or later
• MELSEC iQ-L Series L32HCPU: firmware versions 06 or later
• MELIPC Series MI5122-VW: firmware versions 08 or later

Mitsubishi Electric offers the following countermeasures for users:

• MELSEC iQ-R series products: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual to check if the firmware version of your product is updatable.
  • For updatable products: Download a fixed firmware update file from the Mitsubishi Electric site and update the firmware. Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual for information on how to update the firmware.
  • For non-updatable products: Follow the mitigation measures below. Mitsubishi Electric has released fixed versions as shown above, but the products cannot be updated.
• MELIPC Series or MELSEC iQ-L Series products: Follow the mitigation measures below. Mitsubishi Electric has released fixed versions as shown above, but the products cannot be updated.

Mitsubishi Electric recommends users take mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall, virtual private network (VPN), or other means to prevent unauthorized access when internet access is required.
• Use the product inside a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
• Use an IP filter function to block access from untrusted hosts. For details on the remote password function and IP filter function, users can refer to the following manual for each product:
  • MELSEC iQ-R Ethernet User's Manual (Application) 1.13 Security "IP filter."
  • MELSEC iQ-L CPU module User's Manual (Application) 24.1 "IP filter Function."
  • MELSEC iQ-R C Controller Module User's Manual (Application) 6.6 Security Function "IP filter."
  • MELIPC MI5000 Series User's Manual (Application) "11.3 IP Filter Function."

For specific update instructions and additional details, see Mitsubishi Electric advisory 2022-018.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 22, 2022: Initial Publication
• July 13, 2023: Update A - Added new mitigation information for MELSEC iQ-R Series R08/16/32/120SFCPU firmware
• December 12, 2023: Update B - Added new mitigation information for MELSEC iQ-R Series R12CCPU-V firmware
• May 30, 2024: Update C - Added new mitigation information for MELIPC Series
• July 9, 2024: Update D - Added new mitigation information for MELSEC iQ-L Series
• September 5, 2024: Update E - Added MELSEC iQ-R Series R08/16/32/120PSFCPU

• Mitsubishi Electric