Thursday, October 29, 2020

2 Advisories and 2 Updates Published – 10-29-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi. They also updated two advisories for products from WECON and Mitsubishi.

MELSEC iQ-R Advisory

This advisory describes six vulnerabilities in the TCP/IP stack of the Mitsubishi MELSEC iQ-R Series EtherNet/IP Network Interface Module. The vulnerabilities are self-reported. The Mitsubishi advisory reports that they have new versions that mitigate the vulnerabilities.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5653,

• Session fixation - CVE-2020-5654,

• Null pointer dereference - CVE-2020-5655,

• Improper access control - CVE-2020-5656,

• Argument injection ­- CVE-2020-5657, and

• Resource management errors - CVE-2020-5658

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  result in network functions entering a denial-of-service condition or allow malware execution.

MELSEC iQ-R, Q and L Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC iQ-R, Q and L Series CPU modules. The vulnerability is self-reported. The Mitsubishi advisory reports that they have new firmware versions that mitigate the vulnerability in some of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition in the Ethernet port on the CPU module.

WECON Update

This update provides additional information on an advisory that was originally published on August 25, 2020 and most recently updated on October 20th, 2020. The new information includes adding Tran Van Khang - khangkito of VinCSS to the list of researchers involved in reporting the vulnerabilities.

Mitsubishi Update

This update provides additional information on an advisory that was originally reported on October 8th, 2020. The new information includes updated version and mitigation information for the following modules:

• R00/01/02CPU,

• R04/08/16/32/120CPU,

• R04/08/16/32/120ENCPU, and

• R08/16/32/120SFCPU

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */