Denial of Service (DoS) vulnerability found in Mitsubishi PLCs

• The vulnerability has impacted Mitsubishi Electric MELSEC-Q series PLCs, specifically QJ71E71-100 Ethernet interface module version 20121 and prior.
• Mitsubishi Electric has patched the vulnerability in the latest version v20122.

Researchers from Nozomi Networks uncovered a Denial-of-Service (DoS) vulnerability in some programmable logic controllers (PLCs) developed by Mitsubishi Electric. This vulnerability tracked as (CVE-2019-10977) has been given a “high severity” rating with a CVSS score of 7.5.

What is the impact?

The vulnerability has impacted Mitsubishi Electric MELSEC-Q series PLCs, specifically QJ71E71-100 Ethernet interface module version 20121 and prior.

• The vulnerability could be exploited remotely by sending specially crafted TCP packets to the target’s FTP service.
• Once exploited, the vulnerability could allow an attacker to put the PLC’s state in fault mode, requiring a cold restart for recovering the system.
• Attackers could execute privilege escalation or arbitrary code execution in the context of the affected system.

What is the response?

Mitsubishi Electric has patched the vulnerability in the latest QJ71E71-100 Ethernet module version v20122. In addition, organizations can implement a series of mitigations recommended by the DHS's National Cybersecurity and Communications Integration Center (NCCIC).

Mitigations

NCCIC has given a few mitigations to stay protected from such vulnerabilities.

• NCCIC has recommended limiting the network exposure for all control system devices.
• It suggests organizations to ensure that control system devices are not publicly accessible from the Internet.
• It further requests organizations to isolate the control systems from the business network and safeguard them behind firewalls.

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Also recognize that VPN is only as secure as the connected devices,” NCCIC said in an advisory.