CVE-2020-5542

Vulnerability

A buffer error vulnerability (CWE-119) exists in the TCP/IP function of the firmware in Mitsubishi Electric MELQIC IU1 series, specifically the IU1-1M20-D model running firmware version 1.0.7 and earlier. The flaw occurs when processing specially crafted network packets, leading to a memory buffer overflow. [1]

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted packet to the affected device over the network. No authentication or user interaction is required; the attacker only needs network access to the target. [1]

Impact

Successful exploitation can cause the network functions of the device to stop (denial of service) or allow the attacker to execute arbitrary malware on the device. This compromises the availability and integrity of the system. [1]

Mitigation

Mitsubishi Electric has released a firmware update to version 1.08 or later, which must be applied using IU Configuration Tool version 1.04 or later. As a workaround, restricting network access from untrusted networks and hosts via a firewall can mitigate the risk until the update is applied. [1]