Mitsubishi Electric MELSEC iQ-F Series CPU Modules Information Disclosure and Denial-of-Service Vulnerability

A vulnerability allowing improper validation of specified index, position, or offset in input has been identified in Mitsubishi Electric MELSEC iQ-F Series CPU modules. This vulnerability enables a remote, unauthenticated attacker to read information from the affected product, cause a denial-of-service (DoS) condition in MELSOFT connections, or disrupt the operation of the CPU module itself, also leading to a DoS condition. The issue arises from the product receiving specially crafted packets, and recovery requires a manual reset of the affected product.

Impact

Exploitation of this vulnerability can lead to unauthorized information disclosure, disruption of MELSOFT connections, and interference with the normal operation of the CPU module, causing a DoS condition that requires the product to be reset for recovery.

Remediation

Mitsubishi Electric has no plans to release a fixed version for this vulnerability. Instead, customers are advised to use firewalls or virtual private networks (VPNs) to prevent unauthorized access when internet connectivity is necessary. Within a local area network (LAN), access from untrusted networks or hosts should be blocked via firewall. The IP filter function can be utilized to block access from untrusted hosts. Additionally, physical access to the affected products and the connected LAN should be restricted.