CVE-2020-5656 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2020-5656?

CVE-2020-5656 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote unauthenticated attackers to send specially crafted packets to affected Mitsubishi Electric MELSEC iQ-R series modules, potentially stopping network functions or executing malicious programs. It affects specific serial number ranges of EtherNet/IP, PROFINET, Data Logger, MES Interface, and OPC UA Server modules. The CVSS 9.8 score indicates critical severity.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to send specially crafted packets to affected Mitsubishi Electric MELSEC iQ-R series modules, potentially stopping network functions or executing malicious programs. It affects specific serial number ranges of EtherNet/IP, PROFINET, Data Logger, MES Interface, and OPC UA Server modules. The CVSS 9.8 score indicates critical severity.

💻 Affected Systems

Products:

MELSEC iQ-R RJ71EIP91 EtherNet/IP Network Interface Module
MELSEC iQ-R RJ71PN92 PROFINET IO Controller Module
MELSEC iQ-R RD81DL96 High Speed Data Logger Module
MELSEC iQ-R RD81MES96N MES Interface Module
MELSEC iQ-R RD81OPC96 OPC UA Server Module

Versions: Firmware versions with serial numbers: RJ71EIP91 (first 2 digits '02' or before), RJ71PN92 (first 2 digits '01' or before), RD81DL96 (first 2 digits '08' or before), RD81MES96N (first 2 digits '04' or before), RD81OPC96 (first 2 digits '04' or before)

Operating Systems: Embedded firmware on industrial control modules

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in TCP/IP stack implementation. Serial number prefixes indicate manufacturing batches with vulnerable firmware.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of industrial control system operations through network function stoppage combined with arbitrary code execution leading to physical process manipulation or sabotage.

🟠

Likely Case

Denial of service affecting industrial automation processes, potentially causing production downtime in manufacturing environments.

🟢

If Mitigated

Limited impact if modules are behind firewalls with strict network segmentation and packet filtering.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible via network packets.

🏢 Internal Only: HIGH - Even internally, unauthenticated attackers on the same network segment can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Remote unauthenticated exploitation via network packets.

Special packet crafting required but no authentication needed. Industrial control system context may limit widespread exploitation tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated firmware versions specified in Mitsubishi Electric advisories

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-012_en.pdf

Restart Required: Yes

Instructions:

1. Identify affected modules by checking serial numbers. 2. Download updated firmware from Mitsubishi Electric support portal. 3. Follow module-specific firmware update procedures. 4. Verify serial numbers are outside vulnerable ranges after update.

🔧 Temporary Workarounds

Network Segmentation and Filtering

all

Isolate affected modules in dedicated network segments with strict firewall rules to block unauthorized access.

Access Control Lists

all

Implement network ACLs to restrict communication to only trusted IP addresses and required protocols.

🧯 If You Can't Patch

Deploy industrial firewalls with deep packet inspection to detect and block malicious TCP/IP packets
Implement network monitoring with anomaly detection for unusual traffic patterns to affected modules

🔍 How to Verify

Check if Vulnerable:

Check module serial numbers against vulnerable ranges: RJ71EIP91 (first 2 digits ≤ '02'), RJ71PN92 (first 2 digits ≤ '01'), RD81DL96 (first 2 digits ≤ '08'), RD81MES96N (first 2 digits ≤ '04'), RD81OPC96 (first 2 digits ≤ '04')

Check Version:

Check module configuration software or physical label for serial number and firmware version

Verify Fix Applied:

Verify serial number is outside vulnerable range and confirm firmware version matches patched versions in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unexpected module restarts
Network service stoppage events
Unusual packet patterns to module IPs

Network Indicators:

Malformed TCP/IP packets to industrial control modules
Traffic spikes followed by service disruption

SIEM Query:

source_ip NOT IN (trusted_ips) AND dest_port IN (industrial_ports) AND packet_size > threshold

📊 Metadata

CVE ID: CVE-2020-5656

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: November 2, 2020

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU92513419/index.html Third Party Advisory
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-012.pdf Vendor Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-012_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU92513419/index.html Third Party Advisory
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-012.pdf Vendor Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-012_en.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON