Share: Email | Twitter

ID

VDE-2021-006

Published

2021-02-16 15:53 (CET)

Last update

2021-02-16 15:53 (CET)

Vendor(s)

Pepperl+Fuchs SE

Summary

Critical vulnerability has been discovered in the utilized component PROFINET IO Device by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerability on the affected device is that it can

  • no longer perform acyclic requests
  • may drop all established cyclic connections may
  • disappear completely from the network

For more information see advisory by Hilscher:
https://kb.hilscher.com/display/ISMS/2020-12-03+Denial+of+Service+vulnerability+in+PROFINET+IO+Device


Weakness

Stack-based Buffer Overflow  (CWE-121) 

Summary

A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.


Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may cause a cause a Denial Of Service of the product.

Solution

Mitigation

An external protective measure is required.

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
  • Isolate affected products from the corporate network.
  • If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Hilscher Gesellschaft für Systemautomation mbH