CVE-2020-5545

Vulnerability

The vulnerability is an improper access control (CWE-284) in the TCP function of the firmware for Mitsubishi Electric MELQIC IU1 series, specifically IU1-1M20-D firmware version 1.0.7 and earlier [1]. The flaw resides in the TCP/IP stack and can be triggered by receiving a specially crafted packet.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted packet to the affected device over the network. No authentication is required, as the attacker can be remote and the packet is processed by the TCP function without proper access control checks [1].

Impact

Successful exploitation allows the attacker to bypass access restrictions, potentially stopping the network functions of the device or executing malware on the device [1]. This could lead to denial of service or arbitrary code execution, compromising the device's integrity and availability.

Mitigation

The vendor has released firmware version 1.08 or later to fix this vulnerability. Users must update the firmware using IU Configuration Tool version 1.04 or later [1]. As a workaround, restricting network access from untrusted networks and hosts via firewall may mitigate the risk [1].