Severity: HIGH
Description: Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and prior, Q04/06/13/26UDPVCPU: serial number 20081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 20101 and prior. A remote attacker can send specific bytes over Port 5007 that will result in an Ethernet stack crash and disruption to USB communication.
CVSS Score: 7.5
B
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2019-6535 affects Mitsubishi Electric MELSEC-Q Series PLCs, specifically those with serial numbers 20081 and prior (for certain models) and 20101 and prior (for other models). The nature of the vulnerability is a remotely exploitable Ethernet stack crash triggered by sending specific bytes over Port 5007. This leads to a disruption in USB communication. The base score of 7.5 (HIGH) indicates a significant risk. The likelihood of exploitation is moderate, as it requires network access to Port 5007, but the attack is relatively easy to execute. The primary impact is to availability; the Ethernet stack crash disrupts PLC operation, potentially halting automated processes. Confidentiality and integrity are not directly impacted, but operational disruption can cascade into broader impacts. For industrial control systems (ICS) environments, this could mean production line stoppages, process control issues, or even safety system impacts depending on the PLC's role. The EPSS score of 0.014910000 suggests a relatively low, but real, probability of exploitation in the wild.
2. Potential Attack Scenarios
A potential attack scenario involves a remote attacker leveraging network connectivity to the affected Mitsubishi Electric PLC. The attacker, located on the same network segment or with routable access to the PLC’s IP address, crafts a specific packet with carefully chosen bytes and sends it to Port 5007. This packet exploits a weakness in the Ethernet stack, causing it to crash. The crash subsequently disrupts USB communication, potentially impacting connected devices like HMIs (Human Machine Interfaces) or other peripheral equipment. If the PLC is controlling a critical process, the disruption could lead to a production line stoppage, or in more severe cases, a process upset. The attacker doesn’t need authentication or any specific privileges to initiate the crash – it's a simple network packet send. This makes it suitable for denial-of-service attacks or as a precursor to more complex attacks if the crash provides an opening for further exploitation.
3. Mitigation Recommendations
The primary mitigation is to upgrade the firmware on the affected Mitsubishi Electric PLCs to a version that addresses the vulnerability. Mitsubishi Electric has released new firmware versions to resolve this issue. Contact a local Mitsubishi Electric representative (https://us.mitsubishielectric.com/fa/en/about-us/distributors) to obtain the latest firmware for your specific PLC model. As an immediate compensating control, operate the affected device behind a firewall to limit exposure to external networks. Network segmentation and access control lists (ACLs) can also restrict traffic to Port 5007 to only trusted sources. Monitor network traffic for unusual activity targeting Port 5007. Consider implementing intrusion detection/prevention systems (IDS/IPS) with signatures to identify and block malicious packets targeting the vulnerability. Regular vulnerability scanning of the ICS network can help identify other potentially vulnerable devices.
4. Executive Summary
Mitsubishi Electric MELSEC-Q Series PLCs are vulnerable to a remote Ethernet stack crash (CVE-2019-6535) that can disrupt USB communication and potentially halt automated industrial processes. An attacker can easily send a specially crafted packet to Port 5007, causing the PLC to crash. While the vulnerability doesn’t directly compromise the data the PLC controls, the resulting downtime can have significant business impacts, including production losses and potential process disruptions. The recommended action is to upgrade the PLC firmware to the latest version as soon as possible. Additionally, operating the PLC behind a firewall provides an immediate layer of protection. Addressing this vulnerability is critical to maintaining reliable and efficient operations, and preventing costly downtime in our industrial control systems environment. Prompt patching and implementation of compensating controls will minimize the risk of disruption.