PEPPERL+FUCHS: Comtrol RocketLinx ICRL-M - Multiple Vulnerabilities

PEPPERL+FUCHS: (UPDATE A) ICRL-M-8RJ45/4SFP-G-DIN and ICRL-M-16RJ45/4CP-G-DIN / Comtrol RocketLinx® – Multiple Vulnerabilities may allow remote attackers access, program execution and to tap information

VDE-2020-053 (2021-03-08 11:18 UTC+0200)

Affected Vendors

PEPPERL+FUCHS

Affected Products

P+F RocketLinx®:

  • ICRL-M-8RJ45/4SFP-G-DIN Firmware 1.3.1 and previous
  • ICRL-M-16RJ45/4CP-G-DIN Firmware 1.3.1 and previous

Vulnerability Type

Hidden Functionality (CWE-912)

Summary

Several critical vulnerabilities within Firmware.

CVE: CVE-2020-12502
CWE: CWE-352: Cross-Site Request Forgery (CSRF) 
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 
Description: Cross-Site Request Forgery (CSRF) 

CVE: CVE-2020-12503
CWE: CWE-20: Improper Input Validation  
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: Multiple Authenticated Command Injections

CVE: CVE-2020-12504
CWE: CWE-912: Hidden Functionality
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description: Active TFTP-Service

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and execute any program and tap information.

Solution

For vulnerability CVE-2020-12502 “Cross-Site Request Forgery (CSRF)”, CVE-2020- 12503 “Multiple Authenticated Command Injections” and CVE-2020-12504 “Active TFTP- Service”

  1. Update following products to the respective Firmware Version:
    Product ID Firmware Version
    ICRL-M-8RJ45/4SFP-G-DIN 1.4.0
    ICRL-M-16RJ45/4CP-G-DIN
  2. Deactivate TFTP-Service

Reported by

T. Weber (SEC Consult Vulnerability Lab) https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

Coordinated by CERT@VDE