SCADAfence Blog

DoS Vulnerability in Mitsubishi Electric MELSEC iQ-R Series

Written by Ofer Shaked | Oct 12, 2020 5:17:45 PM

Our Researchers Discover Another Vulnerability 

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

CVE-2020-16850 (US ICS-CERT) is a CVSS 8.6 remote CPU DoS vulnerability in Mitsubishi Electric iQ-R Series that has been discovered by SCADAfence researcher Yossi Reuven.
Mitsubishi Electric is one of the world’s leading electronics and electrical equipment manufacturing companies, and is in use by many of our customers. We have been working with Mitsubishi Electric for the last few months in handling multiple vulnerabilities, and on October 8th, Mitsubishi Electric published an official security advisory reporting this vulnerability and its mitigations.

 

About The Vulnerability - CVE-2020-16850

MELSEC iQ-R Series is Mitsubishi Electric flagship product line - designed for high productivity automation systems. iQ-R CPUs’ communication with GX Works 3 (Engineering software package) is done via Mitsubishi Electric proprietary protocol MELSOFT (which works on both TCP and UDP). 

A single specially crafted packet sent by an attacker over the MELSOFT UDP protocol on port 5006 will cause a denial-of-service (DoS) vulnerability due to uncontrolled resource consumption (CWE-400). The PLC’s CPU will get into fault mode, causing a hardware failure (error code: 0x3C00 - hardware failure). The PLC then becomes unresponsive and requires a manual restart to recover.

 

What SCADAfence Recommends Vendors To Do

Perform an Industrial Vulnerability Management Process

Please refer to our guide on this topic: https://www.scadafence.com/public-preview-a-comprehensive-guide-to-industrial-device-patching/

 

Monitor for Unauthorized Network Activity and Exploitation

Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network.

 

Upgrade to the Latest Firmware (When Available)

Currently no firmware update is available (will be released soon by Mitsubishi Electric)

 

Prevent Unauthorized and Untrusted Access

- Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.

- Use within a LAN and block access from untrusted networks and hosts through firewalls.

 

Block UDP Port 5006 and Use MELSOFT TCP

MELSOFT is an engineering software for Mitsubishi PLCs and gives users the option to use either the (connectionless) UDP and (connection-oriented) TCP protocols for programming and configuring the devices. SCADAfence recommends to block Block UDP port 5006 since the cyberattack leverages the connectionless UDP protocol and can cause the PLCs to stop functioning and cause a denial of service. Instead, users should use the TCP protocol for communicating with devices in the shop floor or the control network.

 

Special Thanks & Recognition

The SCADAfence Research team would like to thank the Mitsubishi Electric team for a speedy vulnerability reporting process even during the challenging COVID-19 times.

SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.

 

Exploit PoC

We wrote a Python POC (GPLv3) script of the exploit in action.

Currently, there’s no patch available. As a result, we limit the access to the exploit to vetted individuals only. The exploit is only available for educational and legal research purposes.

 

Warning: The script will crash the PLC’s CPU - do not use it in production.

 

To get this python exploit, please send an email to christoph@scadafence.com, identify yourself and explain how you’re going to use the exploit.

We reserve the right to refuse any request.