PEPPERL+FUCHS: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux (Update C)

Several critical vulnerabilities within firmware.

VDE-2020-040 (2020-10-07 15:10 UTC+0200)

Affected Vendors

PEPPERL+FUCHS

Affected Products

P+F Comtrol RocketLinx®:

ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT

affected by: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Update C, 2021-03-08

P+F Comtrol RocketLinx®:

  • ICRL-M-8RJ45/4SFP-G-DIN Firmware 1.2.3 and previous
  • ICRL-M-16RJ45/4CP-G-DIN Firmware 1.2.3 and previous

affected by: CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

See VDE-2020-053 for these vulnerabilities

Vulnerability Type

Improper Authorization (CWE-285)

Summary

Several critical vulnerabilities within Firmware have been identified:

CVE: CVE-2020-12500
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-285: Improper Authorization
Description: Unauthenticated Device Administration

CVE: CVE-2020-12501
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-798: Use of Hardcoded Credentials
Description: Undocumented Accounts

CVE: CVE-2020-12502
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-352: Cross-Site Request Forgery (CSRF)
Description: Unauthenticated Device Administration

CVE: CVE-2020-12503
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-20: Improper Input Validation
Description: Multiple Authenticated Command Injections

CVE: CVE-2020-12504
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-912: Hidden Functionality
Description: Active TFTP-Service

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Solution

Update C, 2021-03-08

Take the following steps to address vulnerabilities CVE2020-12500, CVE2020-12501, CVE2020-12502, CVE2020-12503 and CVE2020-12504 on the ES7510-XT and ES8510- XT switches:

Step 1) Update following products to the respective Firmware Version:

Item Firmware Version ES8510 3.1.1
ES7510-XT 2.1.1

Step 2) Deactivate TFTP-Service
Step 3) Deactivate PortVision DX Protocol

For the other affected products, an external protective measure is required:

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.

  • Isolate affected products from the corporate network.

  • Traffic from untrusted networks to the device should be blocked by a firewall.
    Especially traffic targeting the administration webpage

  • If remote access is required, use secure methods such as virtual private networks (VPNs).

  • Administrator and user access should be protected by a secure password and only be available to a very limited group of people.

Reported by

T. Weber (SEC Consult Vulnerability Lab)
Coordinated by CERT@VDE