This updated advisory is a follow-up to the advisory titled ICSA-22-172-01 Mitsubishi Electric MELSEC Q and L Series that was published June 21, 2022, to the ICS webpage on cisa.gov/ics.
Successful exploitation of this vulnerability could result in a denial-of-service condition for Ethernet communication. A system restart would be required to restore functionality.
The following products are affected:
- R12CCPU-V: Firmware Version 16 and prior
- Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: Versions with the first 5 digits of serial No. 24061 and prior
- Q03/04/06/13/26UDVCPU: Versions with the first 5 digits of serial No. 24051 and prior
- Q04/06/13/26UDPVCPU: Versions with the first 5 digits of serial No. 24051 and prior
- L02/06/26CPU(-P), L26CPU-(P)BT: Versions with the first 5 digits of serial No. 24051 and prior
- MI5122-VW: Firmware Version 05 and prior
The affected product is vulnerable to improper resource locking caused when an attacker sends a specially crafted packet to the target system. The system must be fully reset to recover.
CVE-2022-24946 has been assigned to this vulnerability.
Mitsubishi Electric reports that additional fixes for more hardware versions are coming in the near future. Mitsubishi’s recommendations for mitigating the risk of this vulnerability match those of CISA.