PEPPERL+FUCHS: Multiple Products prone to multiple vulnerabilities in Comtrol RocketLinux (Update A)

VDE-2020-040 (2020-10-07 15:10 UTC+0200)

Affected Vendors

PEPPERL+FUCHS

Affected Products

P+F Comtrol RocketLinx®:

  • ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2,
  • ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE,
  • ES9528/ES9528-XT

affected by: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Update A, 2020-10-08

P+F Comtrol RocketLinx®:

  • ICRL-M-8RJ45/4SFP-G-DIN Firmware 1.2.3 and previous
  • ICRL-M-16RJ45/4CP-G-DIN Firmware 1.2.3 and previous

affected by: CVE-2020-12502, CVE-2020-12503, CVE-2020-12504

Vulnerability Type

Improper Authorization (CWE-285)

Summary

Several critical vulnerabilities within Firmware have been identified:

CVE: CVE-2020-12500
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-285: Improper Authorization
Description: Unauthenticated Device Administration

CVE: CVE-2020-12501
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-798: Use of Hardcoded Credentials
Description: Undocumented Accounts

CVE: CVE-2020-12502
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-352: Cross-Site Request Forgery (CSRF)
Description: Unauthenticated Device Administration

CVE: CVE-2020-12503
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-20: Improper Input Validation
Description: Multiple Authenticated Command Injections

CVE: CVE-2020-12504
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-912: Hidden Functionality
Description: Active TFTP-Service

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Solution

for P+F Comtrol RocketLinx®:

  • ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2,
  • ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE,
  • ES9528/ES9528-XT

An external protective measure is required.

1) Traffic from untrusted networks to the device should be blocked by a firewall. Especially
traffic targeting the administration webpage.

2) Administrator and user access should be protected by a secure password and only be
available to a very limited group of people.

Update A, 2020-10-08

for P+F Comtrol RocketLinx®:

  • ICRL-M-8RJ45/4SFP-G-DIN Firmware 1.2.3 and previous
  • ICRL-M-16RJ45/4CP-G-DIN Firmware 1.2.3 and previous

For vulnerability CVE-2020-12502 “Cross-Site Request Forgery (CSRF)” and
CVE-2020- 12503 “Multiple Authenticated Command Injections”:

An external protective measure is required.

  1. Traffic from untrusted networks to the device should be blocked by a firewall. Especially traffic targeting the administration webpage.
  2. Administrator and user access should be protected by a secure password and only be available to a very limited group of people.

For vulnerability CVE-2020-12504 “Active TFTP-Service”:

  1. Update following products to the respective Firmware Version:

    Product ID Firmware Version
    ICRL-M-8RJ45/4SFP-G-DIN 1.3.1
    ICRL-M-16RJ45/4CP-G-DIN 1.3.1
  2. Deactivate TFTP-Service

Reported by

T. Weber (SEC Consult Vulnerability Lab)
Coordinated by CERT@VDE