PEPPERL+FUCHS: Multiple Products - Vulnerability may allow remote attackers to cause a Denial Of Service
Critical vulnerability has been discovered in the utilized component 499ES EtherNet/IP Stack by Real Time Automation (RTA).
VDE-2020-050 (2021-02-15 14:33 UTC+0100)
CVE Identifier
CVE-2020-25159Affected Vendors
PEPPERL+FUCHS
Affected Products
- IC-KP2-2HB17-2V1D Firmware <= 18-31440H
- IC-KP2-1HB17-2V1D Firmware <= 18-31766H
- IC-KP-B17-AIDA1 Firmware <= 18-31785F
Vulnerability Type
Out-of-bounds Write (CWE - 787)Summary
Critical vulnerability has been discovered in the utilized component 499ES EtherNet/IP Stack by Real Time Automation (RTA).
Impact
Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit the vulnerability sending specially crafted packages that may result in a denial-of-service condition or code execution.
Solution
An external protective measure is required.
- Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
- Isolate affected products from the corporate network.
- If remote access is required, use secure methods such as virtual private networks (VPNs).
Reported by
Sharon Brizinov of Claroty reported this vulnerability to CISA.
Coordinated by CERT@VDE