1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: MELSEC iQ-F FX5-OPC
- Vulnerability: NULL Pointer Dereference
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to cause a Denial-of-Service (DoS) condition on the product by getting a legitimate user to import a specially crafted PKCS#12 format certificate.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Mitsubishi Electric products are affected:
- MELSEC iQ-F FX5-OPC: All versions
3.2 Vulnerability Overview
3.2.1 NULL POINTER DEREFERENCE CWE-476
A Denial-of-Service (DoS) vulnerability due to NULL Pointer Dereference when processing PKCS#12 format certificate exists in OpenSSL installed on MELSEC iQ-F OPC UA Unit. Because OpenSSL does not correctly check if a certain field in the PKCS#12 format certificate is NULL, a NULL pointer dereference occurs when the field is NULL, causing the product to enter a Denial-of-Service condition.
CVE-2024-0727 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Electric recommends users take the following mitigations to mini
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: