CVE-2019-13555

13.11.2019, 23:15

In Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial number 21081 and prior, Q04/06/13/26UDPVCPU: serial number 21081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior, MELSEC-L Series L02/06/26CPU, L26CPU-BT: serial number 21101 and prior, L02/06/26CPU-P, L26CPU-PBT: serial number 21101 and prior, and L02/06/26CPU-CM, L26CPU-BT-CM: serial number 21101 and prior, a remote attacker can cause the FTP service to enter a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server on the above CPU modules.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
icscert	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 58%

Vendor	Product	Version
mitsubishielectric	q03\/04\/06\/13\/26udvcpu_firmware	𝑥 ≤ 21081
mitsubishielectric	q04\/06\/13\/26udpvcpu_firmware	𝑥 ≤ 21081
mitsubishielectric	q03udecpu_firmware	𝑥 ≤ 21081
mitsubishielectric	q04\/06\/10\/13\/20\/26\/50\/100udehcpu_firmware	𝑥 ≤ 21081
mitsubishielectric	l02\/06\/26cpu_firmware	𝑥 ≤ 21101
mitsubishielectric	l26cpu-bt_firmware	𝑥 ≤ 21101
mitsubishielectric	l02\/06\/26cpu-p_firmware	𝑥 ≤ 21101
mitsubishielectric	l26cpu-pbt_firmware	𝑥 ≤ 21101
mitsubishielectric	l02\/06\/26cpu-cm_firmware	𝑥 ≤ 21101
mitsubishielectric	l26cpu-bt-cm_firmware	𝑥 ≤ 21101

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://www.us-cert.gov/ics/advisories/icsa-19-311-01