WEIDMUELLER: Multiple vulnerabilities in Industrial WLAN devices (UPDATE A)

Multiple issues in Weidmueller Industrial WLAN devices have been found.

VDE-2021-026 (2021-06-23 09:48 UTC+0200)

Affected Vendors

Weidmueller

Affected Products

Product number Product name Firmware version
2536600000 IE-WL-BL-AP-CL-EU <= V1.16.18 (Build 18081617)
2536650000 IE-WLT-BL-AP-CL-EU
2536660000 IE-WL-BL-AP-CL-US
2536670000 IE-WLT-BL-AP-CL-US
2536680000 IE-WL-VL-AP-BR-CL-EU <= V1.11.10 (Build 18122616)
2536690000 IE-WLT-VL-AP-BR-CL-EU
2536700000 IE-WL-VL-AP-BR-CL-US
2536710000 IE-WLT-VL-AP-BR-CL-US

Summary

Initial publication date: 2021-06-23
Update A publication date: 2021-07-02

Multiple issues in Weidmueller Industrial WLAN devices have been found.

Impact

CVE-ID: CVE-2021-33528
CWE-ID: Improper Adherence to Coding Standards (CWE-710)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable privilege escalation vulnerability exists in the iw_console functionality of Weidmueller Industrial WLAN devices. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33529
CWE-ID: Use of Hard-coded Credentials (CWE-798)
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Description: The usage of hard-coded cryptographic keys within the service agent binary allows for the decryption of captured traffic across the network from or to the Weidmueller Industrial WLAN device.

CVE-ID: CVE-2021-33530
CWE-ID: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of Weidmueller Industrial WLAN devices. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33531
CWE-ID: Use of Hard-coded Credentials (CWE-798)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of Weidmueller Industrial WLAN devices. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts. An attacker can send diagnostic scripts while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33532
CWE-ID: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable command injection vulnerability exists in the iw_webs functionality of Weidmueller Industrial WLAN devices. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33533
CWE-ID: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable command injection vulnerability exists in the iw_webs functionality of Weidmueller Industrial WLAN devices. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33534
CWE-ID: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
UPDATE A:
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable command injection vulnerability exists in the hostname functionality of Weidmueller Industrial WLAN devices. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various requests while authenticated as a high privilege user to trigger this vulnerability.
END UPDATE A

CVE-ID: CVE-2021-33535
CWE-ID: Use of Externally-Controlled Format String (CWE-134)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable format string vulnerability exists in the iw_console conio_writestr functionality of Weidmueller Industrial WLAN devices. A specially crafted time server entry can cause an overflow of the time server buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33536
CWE-ID: Integer Underflow (Wrap or Wraparound) (CWE-191)
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: An exploitable denial-of-service vulnerability exists in ServiceAgent functionality of Weidmueller Industrial WLAN devices. A specially crafted packet can cause an integer underflow, triggering a large memcpy that will access unmapped or out-of-bounds memory. An attacker can send this packet while unauthenticated to trigger this vulnerability.

CVE-ID: CVE-2021-33537
CWE-ID: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable remote code execution vulnerability exists in the iw_webs configuration parsing functionality of Weidmueller Industrial WLAN devices. A specially crafted user name entry can cause an overflow of an error message buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33538
CWE-ID: Improper Privilege Management (CWE-269)
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of Weidmueller Industrial WLAN devices. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

CVE-ID: CVE-2021-33539
CWE-ID: Improper Authentication (CWE-287)
CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable authentication bypass vulnerability exists in the hostname processing of Weidmueller Industrial WLAN devices. A specially configured device hostname can cause the device to interpret selected remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability.

Solution

For all potential vulnerabilities, customers can download a patched firmware to secure their Industrial WLAN devices properly. Please download and install the latest firmware for your device by following the procedure below:
Use the link www.weidmueller.com

  1. Enter within search field on the web page the product number of the Industrial WLAN device you want to update and press "enter"
  2. On next page expand the drop-down menu "Downloads"
  3. Download the respective firmware from the download table
  4. Install the firmware on your device

Find below appropriate patched firmware versions for all affected products.

Product number Product name Firmware version
2536600000 IE-WL-BL-AP-CL-EU <= V1.16.21 (Build 21010513)
2536650000 IE-WLT-BL-AP-CL-EU
2536660000 IE-WL-BL-AP-CL-US
2536670000 IE-WLT-BL-AP-CL-US
2536680000 IE-WL-VL-AP-BR-CL-EU <= V1.11.13 (Build 21010513)
2536690000 IE-WLT-VL-AP-BR-CL-EU
2536700000 IE-WL-VL-AP-BR-CL-US
2536710000 IE-WLT-VL-AP-BR-CL-US

Reported by

Reported by Weidmueller.
Coordinated by CERT@VDE.