CVE-2024-0802 Overview
CVE-2024-0802 is an Incorrect Pointer Scaling vulnerability affecting Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules. This vulnerability allows a remote unauthenticated attacker to read arbitrary information from a target product or execute malicious code on a target product by sending a specially crafted packet.
Critical Impact
This vulnerability enables remote code execution and arbitrary memory read capabilities without authentication, posing severe risks to Industrial Control Systems (ICS) and critical infrastructure environments utilizing affected Mitsubishi Electric programmable logic controllers.
Affected Products
- Mitsubishi Electric Corporation MELSEC-Q Series CPU modules
- Mitsubishi Electric Corporation MELSEC-L Series CPU modules
Discovery Timeline
- March 15, 2024 - CVE-2024-0802 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-0802
Vulnerability Analysis
This vulnerability stems from CWE-468: Incorrect Pointer Scaling, a memory corruption class of vulnerability that occurs when pointer arithmetic is performed incorrectly, leading to unintended memory access. In the context of MELSEC-Q and MELSEC-L Series CPU modules, this flaw enables attackers to manipulate memory addresses beyond intended boundaries.
The vulnerability is particularly dangerous in industrial control system (ICS) environments because these CPU modules are commonly deployed in manufacturing, utilities, and critical infrastructure sectors. Successful exploitation requires no authentication, making any network-accessible device an immediate target. An attacker can leverage this vulnerability to either extract sensitive operational data through arbitrary memory reads or achieve code execution to take control of the industrial process.
Root Cause
The root cause of CVE-2024-0802 lies in incorrect pointer scaling within the affected CPU modules' firmware. When processing specially crafted network packets, the modules perform pointer arithmetic operations without proper validation. The pointer scaling error occurs when the size of the data type being pointed to is not correctly accounted for during address calculations. This results in accessing memory locations that fall outside the intended buffer boundaries, enabling both information disclosure and potential code execution scenarios.
Attack Vector
The attack vector for CVE-2024-0802 is network-based. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to the affected MELSEC CPU modules over the network. The attack does not require any user interaction, making it particularly dangerous for internet-exposed or inadequately segmented industrial networks.
The exploitation process involves:
- Identifying a network-accessible MELSEC-Q or MELSEC-L Series CPU module
- Crafting a malicious packet designed to trigger the incorrect pointer scaling
- Sending the packet to the target device to either read arbitrary memory contents or inject and execute malicious code
For detailed technical information regarding the vulnerability mechanics, refer to the CISA ICS Advisory ICSA-24-074-14 and the Mitsubishi Electric Security Advisory.
Detection Methods for CVE-2024-0802
Indicators of Compromise
- Anomalous network traffic patterns targeting MELSEC CPU modules on industrial networks
- Unexpected memory access errors or crashes on MELSEC-Q/L Series devices
- Unusual outbound data transfers from PLCs to unknown destinations
- Log entries indicating malformed packet processing on affected devices
Detection Strategies
- Deploy network intrusion detection systems (IDS) with signatures specific to MELSEC protocol anomalies
- Implement deep packet inspection for traffic destined to industrial control system networks
- Monitor for unusual packet sizes or malformed requests targeting MELSEC CPU communication ports
- Establish baseline network behavior profiles for MELSEC devices and alert on deviations
Monitoring Recommendations
- Enable comprehensive logging on network devices segmenting ICS environments
- Implement real-time monitoring of all network traffic to and from MELSEC CPU modules
- Configure SIEM systems to correlate events across OT and IT network boundaries
- Regularly audit network access logs for connections from unauthorized IP addresses
How to Mitigate CVE-2024-0802
Immediate Actions Required
- Isolate affected MELSEC-Q and MELSEC-L Series CPU modules from untrusted networks immediately
- Implement strict network segmentation between IT and OT environments
- Apply access control lists (ACLs) to limit connections to affected devices to authorized systems only
- Review and validate all firmware versions against the vendor security advisory
Patch Information
Mitsubishi Electric has published a security advisory addressing this vulnerability. Organizations should consult the Mitsubishi Electric Vulnerability Advisory PDF for specific firmware update information and patch availability for affected product models. Additionally, refer to the CISA ICS Advisory ICSA-24-074-14 for comprehensive mitigation guidance.
Workarounds
- Place affected devices behind firewalls and restrict network access to only essential personnel and systems
- Disable remote access capabilities when not operationally required
- Use VPN connections for any necessary remote access to industrial control networks
- Implement application-layer firewalls capable of inspecting and filtering MELSEC-specific protocols
# Example network segmentation firewall rule (iptables)
# Restrict access to MELSEC devices to authorized management subnet only
iptables -A INPUT -s 192.168.100.0/24 -d 10.0.50.0/24 -p tcp --dport 5007 -j ACCEPT
iptables -A INPUT -d 10.0.50.0/24 -p tcp --dport 5007 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
