PEPPERL+FUCHS: Multiple vulnerabilites in Comtrol IO-Link Master. Affected versions <= 1.5.48

VDE-2020-038 (2021-01-04 15:01 UTC+0200)

Affected Vendors

Pepperl+Fuchs

Affected Products

P+F Comtrol:

• IO-Link Master 4-EIP
• IO-Link Master 8-EIP
• IO-Link Master 8-EIP-L
• IO-Link Master DR-8-EIP
• IO-Link Master DR-8-EIP-P
• IO-Link Master DR-8-EIP-T
• IO-Link Master 4-PNIO
• IO-Link Master 8-PNIO
• IO-Link Master 8-PNIO-L
• IO-Link Master DR-8-PNIO
• IO-Link Master DR-8-PNIO-P
• IO-Link Master DR-8-PNIO-T

Firmware version <= 1.5.48

Vulnerability Type

Cross-Site Request Forgery (CWE-352)

Summary

Several vulnerabilities exist within firmware versions up to and including v1.5.48

CVE-ID: CVE-2020-12511
Vuln.Type: Cross-Site Request Forgery (CSRF) (CWE-352)
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2020-12512
Vuln.Type: Cross-Site Scripting (XSS) (CWE-725)
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2020-12513
Vuln.Type: OS Command Injection (CWE-78)
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2020-12514
Vuln.Type: NULL Pointer Dereference (CWE-476)
CVSS Score: 6.6 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2018-20679
Vuln.Type: Out-of-bounds Read (CWE-125)
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2018-0732
Vuln.Type: Key Management Errors (CWE-320)
CVSS Score: 6.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Solution

In order to prevent the exploitation of the reported vulnerabilities, we recommend that the
affected units be updated with the following three firmware packages:

  • U-Boot bootloader version 1.36 or newer
  • System image version 1.52 or newer
  • Application base version 1.6.11 or newer

Furthermore, it is always recommended to observe the following measures if the affected
products are connected to public networks:

  1. An external protective measure to be put in place.
    Traffic from untrusted networks to the device should be blocked by a firewall.
    Especially traffic targeting the administration webpage.
  2. Device user accounts to be enabled with secure passwords.
    If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.

Reported by

T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.

CERT@VDE coordinated and provided the CVE IDs.