CVE-2020-5652 in MELSEC iQ-R
Summary
by MITRE • 11/03/2020
Uncontrolled resource consumption vulnerability in Ethernet Port on MELSEC iQ-R, Q and L series CPU modules (R 00/01/02 CPU firmware versions '20' and earlier, R 04/08/16/32/120 (EN) CPU firmware versions '52' and earlier, R 08/16/32/120 SFCPU firmware versions '22' and earlier, R 08/16/32/120 PCPU all versions, R 08/16/32/120 PSFCPU all versions, R 16/32/64 MTCPU all versions, Q03 UDECPU, Q 04/06/10/13/20/26/50/100 UDEHCPU serial number '22081' and earlier , Q 03/04/06/13/26 UDVCPU serial number '22031' and earlier, Q 04/06/13/26 UDPVCPU serial number '22031' and earlier, Q 172/173 DCPU all versions, Q 172/173 DSCPU all versions, Q 170 MCPU all versions, Q 170 MSCPU all versions, L 02/06/26 CPU (-P) and L 26 CPU - (P) BT all versions) allows a remote unauthenticated attacker to stop the Ethernet communication functions of the products via a specially crafted packet, which may lead to a denial of service (DoS) condition .
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/01/2020
This vulnerability represents a critical uncontrolled resource consumption flaw affecting Ethernet communication functions in Mitsubishi Electric's MELSEC iQ-R, Q, and L series industrial automation systems. The issue manifests when specific firmware versions process specially crafted network packets that cause the CPU modules to consume excessive system resources, ultimately leading to complete cessation of Ethernet communication capabilities. The affected product line spans multiple series including R series with various firmware versions, Q series with numerous CPU variants, L series processors, and several specialized modules such as UDECPU, UDVCPU, and DSCPU. This vulnerability specifically impacts systems operating on firmware versions prior to the specified thresholds, creating a widespread exposure across industrial control environments that rely on these automation platforms.
The technical exploitation of this vulnerability occurs through remote, unauthenticated network packets that trigger resource exhaustion within the Ethernet port processing mechanisms of the affected CPU modules. When these malformed packets are received, they cause the system to allocate excessive memory or processing cycles, leading to a gradual depletion of available resources until the Ethernet communication functions become completely non-operational. The vulnerability operates at the network protocol level, leveraging the inherent trust relationships within industrial communication protocols to execute denial of service attacks without requiring authentication credentials or specialized access privileges. This makes it particularly dangerous in industrial environments where network accessibility may be limited but still present, and where operators might not expect such attacks to originate from external sources.
The operational impact of this vulnerability extends beyond simple service interruption, as it can compromise entire industrial control systems that depend on Ethernet communication for data exchange, monitoring, and control functions. When Ethernet communication fails, operators lose the ability to remotely access or configure the affected devices, potentially leading to extended downtime during maintenance or emergency response scenarios. In critical infrastructure environments, this could result in production halts, safety system failures, or inability to respond to process emergencies, creating cascading effects throughout connected systems. The vulnerability particularly affects environments where these devices operate in closed-loop control systems, as the loss of communication can propagate through the entire automation network, impacting multiple interconnected devices and potentially causing widespread operational disruption.
Mitigation strategies for this vulnerability require immediate firmware updates to the affected firmware versions, as recommended by Mitsubishi Electric's security advisories. Organizations should conduct comprehensive inventory assessments to identify all affected devices across their industrial control networks and prioritize remediation efforts based on operational criticality. Network segmentation and access controls should be implemented to limit exposure of these devices to untrusted networks, while monitoring systems should be deployed to detect anomalous network traffic patterns that might indicate exploitation attempts. The vulnerability aligns with CWE-400 (Uncontrolled Resource Consumption) and represents a significant concern for industrial control systems under the MITRE ATT&CK framework's network infiltration tactics, particularly in the context of denial of service attacks targeting operational technology infrastructure. Regular security assessments and vulnerability management processes should be enhanced to include industrial control system components, ensuring comprehensive protection against similar network-based attacks that could compromise operational technology environments.