PEPPERL+FUCHS: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux (Update C)

Several critical vulnerabilities within firmware.

VDE-2020-040 (2020-10-07 15:10 UTC+0200)

CVE Identifier

CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors

PEPPERL+FUCHS

Affected Products

P+F Comtrol RocketLinx®:

ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT

affected by: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Update C, 2021-03-08

P+F Comtrol RocketLinx®:

ICRL-M-8RJ45/4SFP-G-DIN Firmware 1.2.3 and previous
ICRL-M-16RJ45/4CP-G-DIN Firmware 1.2.3 and previous

affected by: CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

See VDE-2020-053 for these vulnerabilities

Vulnerability Type

Improper Authorization (CWE-285)

Summary

Several critical vulnerabilities within Firmware have been identified:

CVE: CVE-2020-12500
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-285: Improper Authorization
Description: Unauthenticated Device Administration

CVE: CVE-2020-12501
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-798: Use of Hardcoded Credentials
Description: Undocumented Accounts

CVE: CVE-2020-12502
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-352: Cross-Site Request Forgery (CSRF)
Description: Unauthenticated Device Administration

CVE: CVE-2020-12503
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-20: Improper Input Validation
Description: Multiple Authenticated Command Injections

CVE: CVE-2020-12504
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-912: Hidden Functionality
Description: Active TFTP-Service

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Solution

Update C, 2021-03-08

Take the following steps to address vulnerabilities CVE2020-12500, CVE2020-12501, CVE2020-12502, CVE2020-12503 and CVE2020-12504 on the ES7510-XT and ES8510- XT switches:

Step 1) Update following products to the respective Firmware Version:

Item Firmware Version ES8510 3.1.1
ES7510-XT 2.1.1

Step 2) Deactivate TFTP-Service
Step 3) Deactivate PortVision DX Protocol

For the other affected products, an external protective measure is required:

Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
Isolate affected products from the corporate network.
Traffic from untrusted networks to the device should be blocked by a firewall.
Especially traffic targeting the administration webpage
If remote access is required, use secure methods such as virtual private networks (VPNs).
Administrator and user access should be protected by a secure password and only be available to a very limited group of people.

Reported by

T. Weber (SEC Consult Vulnerability Lab)
Coordinated by CERT@VDE