PEPPERL+FUCHS: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux (Update B)

VDE-2020-040 (2020-10-07 14:10 UTC+0100)

Affected Vendors

PEPPERL+FUCHS

Affected Products

P+F Comtrol RocketLinx®:

  • ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2,
  • ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE,
  • ES9528/ES9528-XT

affected by: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Update A, 2020-10-08

P+F Comtrol RocketLinx®:

  • ICRL-M-8RJ45/4SFP-G-DIN Firmware 1.2.3 and previous
  • ICRL-M-16RJ45/4CP-G-DIN Firmware 1.2.3 and previous

affected by: CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Vulnerability Type

Improper Authorization (CWE-285)

Summary

Several critical vulnerabilities within Firmware have been identified:

CVE: CVE-2020-12500
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-285: Improper Authorization
Description: Unauthenticated Device Administration

CVE: CVE-2020-12501
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-798: Use of Hardcoded Credentials
Description: Undocumented Accounts

CVE: CVE-2020-12502
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-352: Cross-Site Request Forgery (CSRF)
Description: Unauthenticated Device Administration

CVE: CVE-2020-12503
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-20: Improper Input Validation
Description: Multiple Authenticated Command Injections

CVE: CVE-2020-12504
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-912: Hidden Functionality
Description: Active TFTP-Service

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Solution

Update B, 2020-11-18

For vulnerabilities

  • CVE-2020-12502 “Cross-Site Request Forgery (CSRF)”
  • CVE-2020-12503 “Multiple Authenticated Command Injections”

CVE-2020-12504 “Active TFTPService”

Step 1) Update following products to the respective Firmware Version:

Product ID Firmware Version
ICRL-M-8RJ45/4SFP-G-DIN 1.4.0
ICRL-M-16RJ45/4CP-G-DIN 1.4.0

Step 2) Deactivate TFTP-Service

Reported by

T. Weber (SEC Consult Vulnerability Lab)
Coordinated by CERT@VDE