PEPPERL+FUCHS: Multiple Products - Vulnerability may allow remote attackers to cause a Denial Of Service

Critical vulnerability has been discovered in the utilized component PROFINET IO Device by Hilscher Gesellschaft für Systemautomation mbH.

VDE-2021-007 (2021-02-16 16:53 UTC+0200)

CVE Identifier

CVE-2021-20987

Affected Vendors

PEPPERL+FUCHS

Affected Products

PCV/PXV/PGV

Item No. Item Vulnerable Profinet Communication FW
293431-100004 PXV100-F200-B25-V1D <= V1.10.0
293431-100010 PXV100I-F200-B25-V1D
284068 PCV100-F200-B25-V1D-6011-6720
262161 PCV50-F200-B25-V1D
262162 PCV80-F200-B25-V1D
262163 PCV100-F200-B25-V1D-6011

WCS

Item No. Item Vulnerable Profinet Communication FW
262006 WCS3B-LS510 <= V1.2.1
304866 WCS3B-LS510H
304867 WCS3B-LS510D
304868 WCS3B-LS510DH
312680 WCS3B-LS510H-OM
312681 WCS3B-LS510DH-OM
312682 WCS3B-LS510D-OM
312683 WCS3B-LS510-OM

Summary

Critical vulnerability has been discovered in the utilized component Ethernet IP Stack by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerability on the affected device is that it can

  • denial of service
  • remote code execution
  • code exposure

For more information see advisory by Hilscher:
https://kb.hilscher.com/pages/viewpage.action?pageId=108969480

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may cause a cause a Denial Of Service of the product.

Solution

An external protective measure is required.

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
  • Isolate affected products from the corporate network.
  • If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Hilscher Gesellschaft für Systemautomation mbH