Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series Improper Resource Locking (CVE-2022-24946)

high Tenable OT Security Plugin ID 500662

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC-Q Series Q03UDECPU all versions, Mitsubishi Electric MELSEC-Q Series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU the first 5 digits of serial number 24051 and prior, Mitsubishi Electric MELSEC-Q Series Q04/06/13/26UDPVCPU the first 5 digits of serial number 24051 and prior, Mitsubishi Electric MELSEC-L series L02/06/26CPU(-P) the first 5 digits of serial number 24051 and prior and Mitsubishi Electric MELSEC-L series L26CPU-(P)BT the first 5 digits of serial number 24051 and prior allows a remote unauthenticated attacker to cause a denial of service (DoS) condition in Ethernet communications by sending specially crafted packets. A system reset of the products is required for recovery.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Mitsubishi has fixed the vulnerability in the following products:

- MELSEC CPU models
- iQ-R Series
- R12CCPU-V: Firmware Version 17 or later
- Q Aeries
- Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: Versions with the first 5 digits of serial No. 24062 or later
- Q03/04/06/13/26UDVCPU: Versions with the first 5 digits of serial No. 24052 or later
- Q04/06/13/26UDPVCPU: Versions with the first 5 digits of serial No. 24052 or later
- L-Series
- L02/06/26CPU(-P), L26CPU-(P)BT: Versions with the first 5 digits of serial No. 24052 or later

- MELIPC Series
- MI5122-VW: Firmware Version 06 or later

Mitsubishi Electric reports that additional fixes for more hardware versions are coming in the near future. Mitsubishi’s recommendations for mitigating the risk of this vulnerability match those of CISA.

For additional information, see the Mitsubishi Electric security advisory.

Please contact Mitsubishi Electric customer support for more information on how to update specific hardware.

See Also

http://www.nessus.org/u?53bebf4a

https://jvn.jp/vu/JVNVU90895626/index.html

https://www.cisa.gov/news-events/ics-advisories/icsa-22-172-01

Plugin Details

Severity: High

ID: 500662

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 7/5/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2022-24946

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:mitsubishielectric:q13udpvcpu_firmware:-, cpe:/o:mitsubishielectric:q06ccpu-v_firmware:-, cpe:/o:mitsubishielectric:q100udehcpu_firmware:-, cpe:/o:mitsubishielectric:q04udpvcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-bt_firmware:-, cpe:/o:mitsubishielectric:q06udpvcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-%28p%29bt_firmware:-, cpe:/o:mitsubishielectric:l26cpu_firmware:-, cpe:/o:mitsubishielectric:q13udvcpu_firmware:-, cpe:/o:mitsubishielectric:q13udehcpu_firmware:-, cpe:/o:mitsubishielectric:q26udehcpu_firmware:-, cpe:/o:mitsubishielectric:l06cpu_firmware:-, cpe:/o:mitsubishielectric:l02scpu-p_firmware:-, cpe:/o:mitsubishielectric:q06phcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-pbt_firmware:-, cpe:/o:mitsubishielectric:q26udvcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-bt-cm_firmware:-, cpe:/o:mitsubishielectric:q10udehcpu_firmware:-, cpe:/o:mitsubishielectric:q26udpvcpu_firmware:-, cpe:/o:mitsubishielectric:q04udehcpu_firmware:-, cpe:/o:mitsubishielectric:q50udehcpu_firmware:-, cpe:/o:mitsubishielectric:l06cpu-p_firmware:-, cpe:/o:mitsubishielectric:l26cpu-p_firmware:-, cpe:/o:mitsubishielectric:l02scpu_firmware:-, cpe:/o:mitsubishielectric:q04udvcpu_firmware:-, cpe:/o:mitsubishielectric:q20udehcpu_firmware:-, cpe:/o:mitsubishielectric:q06udehcpu_firmware:-, cpe:/o:mitsubishielectric:l02cpu-p_firmware:-, cpe:/o:mitsubishielectric:q03udecpu_firmware:-, cpe:/o:mitsubishielectric:q06udvcpu_firmware:-, cpe:/o:mitsubishielectric:l02cpu_firmware:-, cpe:/o:mitsubishielectric:q26dhccpu-ls_firmware:-

Required KB Items: Tenable.ot/Mitsubishi

Exploit Ease: No known exploits are available

Patch Publication Date: 6/15/2022

Vulnerability Publication Date: 6/15/2022

Reference Information

CVE: CVE-2022-24946

CWE: 667

ICSA: 22-172-01