CVE-2020-5654

Name of the Vulnerable Software and Affected Versions MELSEC iQ-R series versions with the following modules and serial numbers: RJ71EIP91 EtherNet/IP Network Interface Module with serial number starting '02' or before RJ71PN92 PROFINET IO Controller Module with serial number starting '01' or before RD81DL96 High Speed Data Logger Module with serial number starting '08' or before RD81MES96N MES Interface Module with serial number starting '04' or before RD81OPC96 OPC UA Server Module with serial number starting '04' or before

Description A session fixation issue in the TCP/IP function of the MELSEC iQ-R series firmware allows a remote unauthenticated attacker to stop the network functions of the products by sending a specially crafted packet.

Recommendations For RJ71EIP91 EtherNet/IP Network Interface Module with serial number starting '02' or before, consider disabling the TCP/IP function until a patch is available. For RJ71PN92 PROFINET IO Controller Module with serial number starting '01' or before, restrict access to the network functions to minimize the risk of exploitation. For RD81DL96 High Speed Data Logger Module with serial number starting '08' or before, avoid using the affected module in critical network operations until the issue is resolved. For RD81MES96N MES Interface Module with serial number starting '04' or before, consider implementing additional security measures to prevent unauthorized access to the module. For RD81OPC96 OPC UA Server Module with serial number starting '04' or before, restrict access to the OPC UA server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.