Details of VAR-201510-0694

ID

VAR-201510-0694

CVE

CVE-2015-3938

TITLE

Mitsubishi Electric MELSEC FX3G PLC Device Resource Management Error Vulnerability

Trust: 1.4

sources: IVD: 7090b600-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06525 // CNNVD: CNNVD-201510-031

DESCRIPTION

The HTTP application on Mitsubishi Electric MELSEC FX3G PLC devices before April 2015 allows remote attackers to cause a denial of service (device outage) via a long parameter. Mitsubishi Electric MELSEC FX3G PLC is a programmable logic controller (PLC) product of the MELSEC FX series from Mitsubishi Electric Corporation of Japan. Mitsubishi Melsec FX3G-24M and FX3U-ENET-ADP are prone to multiple denial-of-service vulnerabilities

Trust: 2.61

sources: NVD: CVE-2015-3938 // JVNDB: JVNDB-2015-005088 // CNVD: CNVD-2015-06525 // BID: 76885 // IVD: 7090b600-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 7090b600-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06525

AFFECTED PRODUCTS

vendor:	mitsubishi electric	model:	melsec fx3g	scope:	eq	version:	-	Trust: 1.6
vendor:	mitsubishi electric	model:	melsec fx3g series	scope:	eq	version:	(2015 year 4 before the month )	Trust: 0.8
vendor:	mitsubishi	model:	electric europe b.v. melsec fx3g plc	scope:	-	version:	-	Trust: 0.6
vendor:	mitsubishi	model:	electric melsec fx3g-24m	scope:	eq	version:	2.10	Trust: 0.3
vendor:	mitsubishi	model:	electric melsec fx3g series plc	scope:	eq	version:	0	Trust: 0.3
vendor:	mitsubishi	model:	electric fx3u-enet-adp	scope:	eq	version:	1.20	Trust: 0.3
vendor:	melsec fx3g	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: 7090b600-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06525 // BID: 76885 // JVNDB: JVNDB-2015-005088 // CNNVD: CNNVD-201510-031 // NVD: CVE-2015-3938

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-3938
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-3938
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-06525
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201510-031
value:	HIGH
Trust: 0.6
IVD:	7090b600-2351-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2015-3938
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-06525
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7090b600-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 7090b600-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06525 // JVNDB: JVNDB-2015-005088 // CNNVD: CNNVD-201510-031 // NVD: CVE-2015-3938

PROBLEMTYPE DATA

problemtype:

CWE-399

Trust: 1.8

sources: JVNDB: JVNDB-2015-005088 // NVD: CVE-2015-3938

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-031

TYPE

Resource management error

Trust: 0.8

sources: IVD: 7090b600-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201510-031

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-005088

PATCH

title:	トップページ	url:	http://www.mitsubishielectric.co.jp/	Trust: 0.8
title:	シーケンサ MELSEC	url:	http://www.mitsubishielectric.co.jp/fa/products/cnt/plc/index.html	Trust: 0.8
title:	Mitsubishi Electric MELSEC FX3G PLC Device Resource Management Error Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/65065	Trust: 0.6

sources: CNVD: CNVD-2015-06525 // JVNDB: JVNDB-2015-005088

EXTERNAL IDS

db:	NVD	id:	CVE-2015-3938	Trust: 3.5
db:	ICS CERT	id:	ICSA-15-146-01	Trust: 3.3
db:	CNVD	id:	CNVD-2015-06525	Trust: 0.8
db:	CNNVD	id:	CNNVD-201510-031	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-005088	Trust: 0.8
db:	BID	id:	76885	Trust: 0.3
db:	IVD	id:	7090B600-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 7090b600-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06525 // BID: 76885 // JVNDB: JVNDB-2015-005088 // CNNVD: CNNVD-201510-031 // NVD: CVE-2015-3938

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-146-01	Trust: 3.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3938	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3938	Trust: 0.8
url:	http://www.os-s.net/advisories/mitsubishi_fx3ge_parameter_error-engl.pdf	Trust: 0.3
url:	http://www.mitsubishi-automation.com/products/software_mx_components_content.htm	Trust: 0.3

sources: CNVD: CNVD-2015-06525 // BID: 76885 // JVNDB: JVNDB-2015-005088 // CNNVD: CNNVD-201510-031 // NVD: CVE-2015-3938

CREDITS

Ralf Spenneberg

Trust: 0.3

sources: BID: 76885

SOURCES

db:	IVD	id:	7090b600-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-06525
db:	BID	id:	76885
db:	JVNDB	id:	JVNDB-2015-005088
db:	CNNVD	id:	CNNVD-201510-031
db:	NVD	id:	CVE-2015-3938

LAST UPDATE DATE

2025-04-12T23:27:32.620000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-06525	date:	2015-10-15T00:00:00
db:	BID	id:	76885	date:	2015-11-03T19:51:00
db:	JVNDB	id:	JVNDB-2015-005088	date:	2015-10-07T00:00:00
db:	CNNVD	id:	CNNVD-201510-031	date:	2015-10-09T00:00:00
db:	NVD	id:	CVE-2015-3938	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	7090b600-2351-11e6-abef-000c29c66e3d	date:	2015-10-15T00:00:00
db:	CNVD	id:	CNVD-2015-06525	date:	2015-10-15T00:00:00
db:	BID	id:	76885	date:	2015-09-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-005088	date:	2015-10-07T00:00:00
db:	CNNVD	id:	CNNVD-201510-031	date:	2015-10-09T00:00:00
db:	NVD	id:	CVE-2015-3938	date:	2015-10-06T01:59:07.157