Description Preview
A vulnerability exists in Mitsubishi Electric MELSEC iQ-R series Safety CPU and SIL2 Process CPU modules where sensitive information is transmitted in cleartext. This affects Safety CPU R08/16/32/120SFCPU with firmware versions "26" and prior, and SIL2 Process CPU R08/16/32/120PSFCPU with firmware versions "11" and prior. The vulnerability allows remote unauthenticated attackers to obtain login credentials (excluding passwords) that could be used to access the target CPU module.
Overview
The vulnerability (CVE-2021-20599) involves the cleartext transmission of sensitive authentication information in Mitsubishi Electric's industrial control system CPU modules. When credentials are transmitted without encryption, they can be intercepted by attackers monitoring network traffic. This vulnerability specifically affects the MELSEC iQ-R series Safety CPU and SIL2 Process CPU modules, which are commonly used in critical industrial control systems and safety applications. The exposure of credentials could potentially lead to unauthorized access to these critical systems, compromising industrial operations and safety mechanisms.
Remediation
Users of affected Mitsubishi Electric MELSEC iQ-R series CPU modules should:
- Update firmware to versions newer than "26" for Safety CPU R08/16/32/120SFCPU models and newer than "11" for SIL2 Process CPU R08/16/32/120PSFCPU models
- Implement network segmentation to isolate control systems from other networks
- Use VPNs or other secure connection methods when remote access is required
- Monitor network traffic for suspicious activities
- Follow the specific mitigation guidance provided in Mitsubishi Electric's security advisory (2021-011)
- Apply the principle of least privilege for all system access
- Contact Mitsubishi Electric technical support for additional assistance if needed
References
- Mitsubishi Electric Security Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-011_en.pdf
- CISA ICS Advisory (ICSA-21-287-03): https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03
- Japan Vulnerability Notes: https://jvn.jp/vu/JVNVU98578731
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
