CVE-2020-5547

Vulnerability

A resource management errors vulnerability (CWE-399) exists in the TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D devices running firmware version 1.0.7 and earlier [1]. The vulnerability allows an attacker to send a specially crafted packet that triggers improper resource handling, potentially leading to a denial of service or arbitrary code execution.

Exploitation

An attacker in a position to send network packets to the vulnerable device can exploit this vulnerability without authentication [1]. The crafted packet must be delivered over the network to the affected TCP function, causing the resource management error.

Impact

Successful exploitation can stop the network functions of the product, leading to a denial of service, or allow the execution of malware [1]. This could result in full compromise of the device's operation.

Mitigation

The developer has released firmware version 1.08 or later, which addresses this vulnerability. Upgrading requires IU Configuration Tool version 1.04 or later [1]. As a workaround, restricting network access from untrusted networks and hosts via a firewall may reduce risk [1].