As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.
CVE-2020-13238 is a remote CPU DoS vulnerability in Mitsubishi Electric iQ-R Series that has been discovered by SCADAfence researcher Yossi Reuven.
Mitsubishi Electric is one of the world’s leading electronics and electrical equipment manufacturing companies, and is in use by many of our customers. We have been working with Mitsubishi Electric for the last few months in handling this vulnerability, and on June 9th, Mitsubishi Electric published an official security advisory reporting this vulnerability and mitigations.
MELSEC iQ-R Series is Mitsubishi Electric flagship product line – design for high productivity automation systems. iQ-R CPUs’ communication with GX Works 3 (Engineering software package) is done via Mitsubishi Electric proprietary protocol MELSOFT (which works on both TCP and UDP).
When an attacker sends a short burst of specially crafted packets over the MELSOFT UDP protocol on port 5006, which causes the PLC’s CPU to get into fault mode, causing a hardware failure (error code: 0x3C00 – hardware failure). The PLC then becomes unresponsive and requires a manual restart to recover.
What SCADAfence Recommends Vendors To Do
Upgrade to the Latest Firmware
Most of Mitsubishi Electric’s iQ-R Series PLCs are not running on the firmware versions later than Version 40. In addition, automation engineers don’t usually upgrade to the latest firmware, which can lead to their PLCs being exposed to a DoS (denial of service) attack. Upgrading to the latest firmware (Version 49) can prevent this attack from happening.
Block UDP Port 5006 and Use MELSOFT TCP
MELSOFT is an engineering software for Mitsubishi PLCs and gives users the option to use either the (connectionless) UDP and (connection-oriented) TCP protocols for programming and configuring the devices. SCADAfence recommends to block Block UDP port 5006 since the cyberattack leverages the connectionless UDP protocol and can cause the PLCs to stop functioning and cause a denial of service. Instead, users should use the TCP protocol for communicating with devices in the shop floor or the control network.
Special Thanks & Recognition
The SCADAfence Research team would like to thank the Mitsubishi Electric team for a speedy vulnerability reporting process even during the challenging COVID-19 times.
SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.
We wrote a Python POC (GPLv3) script of the exploit in action. You can download it for free and use this for educational / research purposes.
Warning: The script will crash the PLC’s CPU – don’t use in production.
To get this free python script, please send an email to firstname.lastname@example.org
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.