CVE-2021-20613 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2021-20613?

CVE-2021-20613 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote unauthenticated attackers to cause a denial-of-service condition in the communication function of affected MELSEC-F series Ethernet modules by sending specially crafted packets. The PLC control functions remain operational, but a system reset is required to restore communication. Affected systems include FX3U-ENET, FX3U-ENET-L, and FX3U-ENET-P502 modules with firmware version 1.16 or earlier.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to cause a denial-of-service condition in the communication function of affected MELSEC-F series Ethernet modules by sending specially crafted packets. The PLC control functions remain operational, but a system reset is required to restore communication. Affected systems include FX3U-ENET, FX3U-ENET-L, and FX3U-ENET-P502 modules with firmware version 1.16 or earlier.

💻 Affected Systems

Products:

MELSEC-F series FX3U-ENET
MELSEC-F series FX3U-ENET-L
MELSEC-F series FX3U-ENET-P502

Versions: Firmware version 1.16 and prior

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects communication functions; PLC control logic continues to operate normally during the DoS condition.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of network communication to the affected Ethernet module, requiring physical access to reset the device and restore functionality, potentially disrupting industrial processes.

🟠

Likely Case

Temporary disruption of network communication to the PLC module until manual reset is performed, affecting monitoring and remote control capabilities.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent unauthorized packets from reaching the vulnerable modules.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects devices that may be exposed to untrusted networks.

🏢 Internal Only: MEDIUM - While internal networks provide some protection, the unauthenticated nature means any compromised internal system could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted packets but does not require authentication or complex exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after 1.16

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-024_en.pdf

Restart Required: Yes

Instructions:

1. Download updated firmware from Mitsubishi Electric support portal. 2. Follow vendor instructions to update firmware on affected modules. 3. Perform system reset after firmware update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate network segments with strict firewall rules to prevent unauthorized access.

Access Control Lists

all

Implement network ACLs to restrict traffic to only trusted sources and required protocols.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from untrusted networks
Deploy intrusion detection/prevention systems to monitor for and block malicious packets targeting this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check firmware version on affected modules via programming software or web interface. If version is 1.16 or earlier, the device is vulnerable.

Check Version:

Use Mitsubishi Electric programming software (GX Works2/3) to read module firmware version

Verify Fix Applied:

Verify firmware version is updated to a version after 1.16 and test network communication functionality.

📡 Detection & Monitoring

Log Indicators:

Sudden loss of network connectivity logs
Communication error messages in PLC logs
Network interface reset events

Network Indicators:

Unusual packet patterns targeting port 5006/UDP (MELSEC protocol)
Sudden cessation of expected network traffic from affected devices

SIEM Query:

source_ip=* AND dest_port=5006 AND protocol=UDP AND packet_size>threshold

📊 Metadata

CVE ID: CVE-2021-20613

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-665

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU93268332/index.html Third Party Advisory,VDB Entry
https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-07 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-024_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU93268332/index.html Third Party Advisory,VDB Entry
https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-07 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-024_en.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20613, you might also want to check these: