Mitsubishi Electric MELSEC iQ-F Series CPU Module

View CSAF

1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Equipment: MELSEC iQ-F Series Vulnerability: Improper Restriction of Excessive Authentication Attempts
2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to prevent legitimate users from logging into the web server function for a certain period, resulting in a denial-of-service condition. The impact of this vulnerability will persist while the attacker continues to attempt the attack.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Mitsubishi Electric MELSEC iQ-F Series products are affected (Products with * are sold in limited regions): FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 17X**** and later): All versions FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 179**** and prior): Versions 1.060 or later FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 17X**** and later): All versions FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 179**** and prior): Versions 1.060 or later FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,DS,ESS,DSS: All versions FX5UJ-xMy/ES-A* x=24,40,60, y=T,R: All versions FX5S-xMy/z x=30,40,60,80*, y=T,R, z=ES,ESS: All versions 3.2 Vulnerability Overview 3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 A denial-of-service vulnerability exists in the web server function of the MELSEC iQ-F Series CPU module, which could allow an attacker to prevent legitimate users from logging in to the web server function for a certain period of time. The impact of this vulnerability will persist while the attacker continues to attempt the attack. CVE-2023-4625 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Peter Cheng from ELEX FEIGONG RESEARCH INSTITUTE of Elex Cybersecurity, Inc. reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk: Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use within a LAN and block access from untrusted networks and hosts through firewalls. Use IP filter function to block access from untrusted hosts. For details on the IP filter function, refer to the “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication) manual. Restrict physical access to the affected products and the LAN that is connected by them. For additional information refer to Mitsubishi Electric’s security bulletin 2023-014_en. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY November 2, 2023: Initial Publication