CVE-2021-20612 - OpenCVE

Lack of administrator control over security vulnerability in MELSEC-F series FX3U-ENET Firmware version 1.14 and prior, FX3U-ENET-L Firmware version 1.14 and prior and FX3U-ENET-P502 Firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in communication function of the product or other unspecified effects by sending specially crafted packets to an unnecessary opening of TCP port. Control by MELSEC-F series PLC is not affected by this vulnerability, but system reset is required for recovery.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Mitsubishielectric	Fx3u-enet-p502 Fx3u-enet-l Firmware Fx3u-enet-l Fx3u-enet-p502 Firmware Fx3u-enet Fx3u-enet Firmware

Configuration 1 [-]

AND

cpe:2.3:o:mitsubishielectric:fx3u-enet_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx3u-enet:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:mitsubishielectric:fx3u-enet-l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx3u-enet-l:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:mitsubishielectric:fx3u-enet-p502_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx3u-enet-p502:-:*:*:*:*:*:*:*

References

Link	Resource
https://jvn.jp/vu/JVNVU93268332/index.html	Third Party Advisory VDB Entry
https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-01	Third Party Advisory US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-023_en.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2022-01-14T19:04:45

Updated: 2022-01-14T19:04:45

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20612

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-01-14T20:15:09.850

Modified: 2023-08-08T14:21:49.707

Link: CVE-2021-20612

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "MELSEC-F series FX3U-ENET; MELSEC-F series FX3U-ENET-L; MELSEC-F series FX3U-ENET-P502", "vendor": "n/a", "versions": [{"status": "affected", "version": "Firmware version 1.14 and prior"}]}], "descriptions": [{"lang": "en", "value": "Lack of administrator control over security vulnerability in MELSEC-F series FX3U-ENET Firmware version 1.14 and prior, FX3U-ENET-L Firmware version 1.14 and prior and FX3U-ENET-P502 Firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in communication function of the product or other unspecified effects by sending specially crafted packets to an unnecessary opening of TCP port. Control by MELSEC-F series PLC is not affected by this vulnerability, but system reset is required for recovery."}], "problemTypes": [{"descriptions": [{"description": "Lack of Administrator Control over Security", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-14T19:04:45", "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-023_en.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/vu/JVNVU93268332/index.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "ID": "CVE-2021-20612", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MELSEC-F series FX3U-ENET; MELSEC-F series FX3U-ENET-L; MELSEC-F series FX3U-ENET-P502", "version": {"version_data": [{"version_value": "Firmware version 1.14 and prior"}, {"version_value": "Firmware version 1.14 and prior"}, {"version_value": "Firmware version 1.14 and prior"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Lack of administrator control over security vulnerability in MELSEC-F series FX3U-ENET Firmware version 1.14 and prior, FX3U-ENET-L Firmware version 1.14 and prior and FX3U-ENET-P502 Firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in communication function of the product or other unspecified effects by sending specially crafted packets to an unnecessary opening of TCP port. Control by MELSEC-F series PLC is not affected by this vulnerability, but system reset is required for recovery."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Lack of Administrator Control over Security"}]}]}, "references": {"reference_data": [{"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-023_en.pdf", "refsource": "MISC", "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-023_en.pdf"}, {"name": "https://jvn.jp/vu/JVNVU93268332/index.html", "refsource": "MISC", "url": "https://jvn.jp/vu/JVNVU93268332/index.html"}, {"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-01"}]}}}}, "cveMetadata": {"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "assignerShortName": "Mitsubishi", "cveId": "CVE-2021-20612", "datePublished": "2022-01-14T19:04:45", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2022-01-14T19:04:45", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:fx3u-enet_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF1D75C8-9E0A-4A2A-A9B6-3A944721DFC4", "versionEndIncluding": "1.14", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:fx3u-enet:-:*:*:*:*:*:*:*", "matchCriteriaId": "5D1644E1-F748-46A3-8E09-FF5D53FD046F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:fx3u-enet-l_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C54E1F47-E0A3-4C49-A219-84175C7B8108", "versionEndIncluding": "1.14", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:fx3u-enet-l:-:*:*:*:*:*:*:*", "matchCriteriaId": "C8ACC832-E1EC-46DA-A2D1-CF1A3791A885", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:fx3u-enet-p502_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "72D73FF4-10B4-4F70-B603-27775A21B9F1", "versionEndIncluding": "1.14", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:fx3u-enet-p502:-:*:*:*:*:*:*:*", "matchCriteriaId": "69BA96DC-C462-4286-AE0E-32D141017E7F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Lack of administrator control over security vulnerability in MELSEC-F series FX3U-ENET Firmware version 1.14 and prior, FX3U-ENET-L Firmware version 1.14 and prior and FX3U-ENET-P502 Firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in communication function of the product or other unspecified effects by sending specially crafted packets to an unnecessary opening of TCP port. Control by MELSEC-F series PLC is not affected by this vulnerability, but system reset is required for recovery."}, {"lang": "es", "value": "Una falta de control del administrador sobre la vulnerabilidad de seguridad en la serie MELSEC-F FX3U-ENET Firmware versi\u00f3n 1.14 y anteriores, FX3U-ENET-L Firmware versi\u00f3n 1.14 y anteriores y FX3U-ENET-P502 Firmware versi\u00f3n 1.14 y anteriores permite que un atacante remoto no autenticado cause una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en la funci\u00f3n de comunicaci\u00f3n del producto u otros efectos no especificados mediante el env\u00edo de paquetes especialmente dise\u00f1ados a una apertura no necesaria del puerto TCP. El control por parte del PLC de la serie MELSEC-F no est\u00e1 afectado por esta vulnerabilidad, pero es necesario reiniciar el sistema para recuperarlo"}], "id": "CVE-2021-20612", "lastModified": "2023-08-08T14:21:49.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-14T20:15:09.850", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://jvn.jp/vu/JVNVU93268332/index.html"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-01"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-023_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}