PEPPERL+FUCHS: Multiple vulnerabilites in Comtrol IO-Link Master. Affected versions <= 1.5.48
VDE-2020-038 (2021-01-04 14:01 UTC+0100)
CVE Identifier
CVE-2020-12511, CVE-2020-12512, CVE-2020-12513, CVE-2020-12514, CVE-2018-20679, CVE-2018-0732Affected Vendors
Pepperl+Fuchs
Affected Products
P+F Comtrol:
• IO-Link Master 4-EIP
• IO-Link Master 8-EIP
• IO-Link Master 8-EIP-L
• IO-Link Master DR-8-EIP
• IO-Link Master DR-8-EIP-P
• IO-Link Master DR-8-EIP-T
• IO-Link Master 4-PNIO
• IO-Link Master 8-PNIO
• IO-Link Master 8-PNIO-L
• IO-Link Master DR-8-PNIO
• IO-Link Master DR-8-PNIO-P
• IO-Link Master DR-8-PNIO-T
Firmware version <= 1.5.48
Vulnerability Type
Cross-Site Request Forgery (CWE-352)
Summary
Several vulnerabilities exist within firmware versions up to and including v1.5.48
CVE-ID: CVE-2020-12511
Vuln.Type: Cross-Site Request Forgery (CSRF) (CWE-352)
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVE-ID: CVE-2020-12512
Vuln.Type: Cross-Site Scripting (XSS) (CWE-725)
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-ID: CVE-2020-12513
Vuln.Type: OS Command Injection (CWE-78)
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-ID: CVE-2020-12514
Vuln.Type: NULL Pointer Dereference (CWE-476)
CVSS Score: 6.6 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-ID: CVE-2018-20679
Vuln.Type: Out-of-bounds Read (CWE-125)
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-ID: CVE-2018-0732
Vuln.Type: Key Management Errors (CWE-320)
CVSS Score: 6.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Impact
Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.
Solution
In order to prevent the exploitation of the reported vulnerabilities, we recommend that the
affected units be updated with the following three firmware packages:
- U-Boot bootloader version 1.36 or newer
- System image version 1.52 or newer
- Application base version 1.6.11 or newer
Furthermore, it is always recommended to observe the following measures if the affected
products are connected to public networks:
- An external protective measure to be put in place.
Traffic from untrusted networks to the device should be blocked by a firewall.
Especially traffic targeting the administration webpage. - Device user accounts to be enabled with secure passwords.
If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.
Reported by
T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.
CERT@VDE coordinated and provided the CVE IDs.