PEPPERL+FUCHS: Multiple VDM100-Distance Ethernet-IP sensors with multiple vulnerabilities

PEPPERL+FUCHS: Multiple VDM100-Distance Ethernet-IP Sensors – Multiple Vulnerabilities may allow remote attackers access and full remote code execution on the target device

VDE-2021-028 (2021-08-16 14:02 UTC+0200)

Affected Vendors

PEPPERL+FUCHS

Affected Products

Item No. Item Firmware Version
256830 VDM100-50-EIP/G2 <=2.00
243598 VDM100-150-EIP/G2 <=2.00
256831 VDM100-300-EIP/G2 <=2.00

Summary

Critical vulnerabilities have been discovered in the utilized component TRECK TCP/IP Stack by Digi International Inc.

For more information see advisory by Digi International Inc.:
Digi International Security Notice - TRECK TCP/IP Stack "RIPPLE20" VU#257161 ICS-VU-035787 | Digi International

CVE-2020-11896
CWE-787: Out-of-bounds Write
CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.

CVE-2020-11897
CWE-787: Out-of-bounds Write
CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.

CVE-2020-11898
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Description: The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.

CVE-2020-11899
CWE-125: Out-of-bounds Read
CVSS: 5.4 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
Description: The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.

CVE-2020-11900
CWE-415: Double Free
CVSS: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
Description: The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Free.

CVE-2020-11901
CWE-787: Out-of-bounds Write
CVSS: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution via a single invalid DNS response.

CVE-2020-11902
CWE-125: Out-of-bounds Read
CVSS: 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Description: The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling Out-of-bounds Read.

CVE-2020-11903
CWE-125: Out-of-bounds Read
CVSS: 6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Description: The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.

CVE-2020-11904
CWE-190: Integer Overflow or Wraparound
CVSS: 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Description: The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write.

CVE-2020-11905
CWE-125: Out-of-bounds Read
CVSS: 6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Description: The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.

CVE-2020-11906
CWE-191: Integer Underflow (Wrap or Wraparound)
CVSS: 6.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Description: The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Integer Underflow.

CVE-2020-11907
CWE-: 
CVSS: 6.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Description: The Treck TCP/IP stack before 6.0.1.66 improperly handles a Length Parameter Inconsistency in TCP.

CVE-2020-11908
CWE-: 
CVSS: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Description: The Treck TCP/IP stack before 4.7.1.27 mishandles '\0' termination in DHCP.

CVE-2020-11909
CWE-191: Integer Underflow (Wrap or Wraparound)
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Description: The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow.

CVE-2020-11910
CWE-125: Out-of-bounds Read
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Description: The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.

CVE-2020-11911
CWE-732: Incorrect Permission Assignment for Critical Resource
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Description: The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control.

CVE-2020-11912
CWE-125: Out-of-bounds Read
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Description: The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.

CVE-2020-11913
CWE-125: Out-of-bounds Read
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Description: The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.

CVE-2020-11914
CWE-125: Out-of-bounds Read
CVSS: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Description: The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.

Impact

Pepperl+Fuchs analyzed and identified affected devices.

The impact on the affected device is that it can

  • no longer perform acyclic requests
  • may drop all established cyclic connections may
  • disappear completely from the network

Solution

An external protective measure is required.

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
  • Isolate affected products from the corporate network.
  • If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Digi International Inc.
Coordinated by CERT@VDE