CVE-2020-5652

02.11.2020, 21:15

Uncontrolled resource consumption vulnerability in Ethernet Port on MELSEC iQ-R, Q and L series CPU modules (R 00/01/02 CPU firmware versions '20' and earlier, R 04/08/16/32/120 (EN) CPU firmware versions '52' and earlier, R 08/16/32/120 SFCPU firmware versions '22' and earlier, R 08/16/32/120 PCPU all versions, R 08/16/32/120 PSFCPU all versions, R 16/32/64 MTCPU all versions, Q03 UDECPU, Q 04/06/10/13/20/26/50/100 UDEHCPU serial number '22081' and earlier , Q 03/04/06/13/26 UDVCPU serial number '22031' and earlier, Q 04/06/13/26 UDPVCPU serial number '22031' and earlier, Q 172/173 DCPU all versions, Q 172/173 DSCPU all versions, Q 170 MCPU all versions, Q 170 MSCPU all versions, L 02/06/26 CPU (-P) and L 26 CPU - (P) BT all versions) allows a remote unauthenticated attacker to stop the Ethernet communication functions of the products via a specially crafted packet, which may lead to a denial of service (DoS) condition .

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
jpcert	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Vendor	Product	Version
mitsubishielectric	melsec_iq-r08pcpu_firmware	-
mitsubishielectric	melsec_iq-r08psfcpu_firmware	-
mitsubishielectric	melsec_iq-r120pcpu_firmware	-
mitsubishielectric	melsec_iq-r120psfcpu_firmware	-
mitsubishielectric	melsec_iq-r16mtcpu_firmware	-
mitsubishielectric	melsec_iq-r16pcpu_firmware	-
mitsubishielectric	melsec_iq-r16psfcpu_firmware	-
mitsubishielectric	melsec_iq-r32mtcpu_firmware	-
mitsubishielectric	melsec_iq-r32pcpu_firmware	-
mitsubishielectric	melsec_iq-r32psfcpu_firmware	-
mitsubishielectric	melsec_iq-r64mtcpu_firmware	-
mitsubishielectric	melsec_l02cpu-p_firmware	-
mitsubishielectric	melsec_l06cpu-p_firmware	-
mitsubishielectric	melsec_l26cpu-p_firmware	-
mitsubishielectric	melsec_l26cpu-pbt_firmware	-
mitsubishielectric	melsec_q-q170mcpu_firmware	-
mitsubishielectric	melsec_q-q170mscpu-s1_firmware	-
mitsubishielectric	melsec_q-q172dcpu-s1_firmware	-
mitsubishielectric	melsec_q-q172dscpu_firmware	-
mitsubishielectric	melsec_q-q173dcpu-s1_firmware	-
mitsubishielectric	melsec_q-q173dscpu_firmware	-
mitsubishielectric	melsec_q-qmr-mq100_firmware	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://jvn.jp/vu/JVNVU96558207/index.html

https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-013.pdf

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf

https://jvn.jp/vu/JVNVU96558207/index.html

https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-013.pdf

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf