Mitsubishi Electric CC-Link IE TSN Products Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in multiple CC-Link IE TSN products, including Remote I/O modules, Analog-Digital and Digital-Analog Converter modules, FPGA modules, and the CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY. This vulnerability allows a remote, unauthenticated attacker to disrupt the normal operation of the affected products by sending specially crafted UDP packets. The issue arises from improper validation of input quantity, which can lead to a condition where the product fails to process valid UDP packets within a specified timeframe, causing a system reset and requiring manual recovery.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the affected product to stop functioning properly and require a system reset for recovery.

Remediation

Users can update to the fixed versions of the affected products. For the CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY, version 1.09K or later is recommended. Detailed update procedures are available in the 'CC-Link IE TSN Firmware Update Tool Reference Manual' and on the Mitsubishi Electric FA download page.