Mitsubishi Electric MELSEC-F Series Null Pointer Dereference (CVE-2021-20596)

high Tenable OT Security Plugin ID 500538

Synopsis

The remote OT asset is affected by a vulnerability.

Description

NULL Pointer Dereference in MELSEC-F Series FX3U-ENET firmware version 1.14 and prior, FX3U-ENET-L firmware version 1.14 and prior and FX3U-ENET-P502 firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a DoS condition in communication by sending specially crafted packets. Control by MELSEC-F series PLC is not affected and system reset is required for recovery.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Mitsubishi Electric Corporation recommends using the newest version of firmware possible. The fixed products and versions are as follows:

- FX3U-ENET:Firmware Version 1.16 or later
- FX3U-ENET-L:Firmware Version 1.16 or later
- FX3U-ENET-P502:Firmware Version 1.16 or later

To minimize the risk of exploiting this vulnerability, Mitsubishi Electric Corporation recommends users take the following mitigations:

- Use a firewall or virtual private network (VPN), etc., to prevent unauthorized access when Internet access is required.
- Use within a LAN and block access from untrusted networks and hosts through firewalls.

Please refer to the Mitsubishi Electric advisory for further details.

See Also

http://www.nessus.org/u?e12e9fa6

https://jvn.jp/vu/JVNVU94348759/index.html

https://us-cert.cisa.gov/ics/advisories/icsa-21-201-01

Plugin Details

Severity: High

ID: 500538

Version: 1.10

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-20596

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:mitsubishielectric:fx3u-enet-l_firmware, cpe:/o:mitsubishielectric:fx3u-enet_firmware, cpe:/o:mitsubishielectric:fx3u-enet-p502_firmware

Required KB Items: Tenable.ot/Mitsubishi

Exploit Ease: No known exploits are available

Patch Publication Date: 7/22/2021

Vulnerability Publication Date: 7/22/2021

Reference Information

CVE: CVE-2021-20596

CWE: 476

ICSA: 21-201-01