Share: Email | Twitter

ID

VDE-2021-009

Published

2021-09-20 13:56 (CEST)

Last update

2021-09-20 13:58 (CEST)

Vendor(s)

PILZ

Product(s)

Product Order Nr Affected versions Affected by
PSSu-Module for decentralised E/A-System 312041
312042
312043
all versions CVE-2020-35683
CVE-2020-35684
CVE-2020-35685
CVE-2021-31400
CVE-2021-31401
PSSu-Module for PSS 4000 31206*
312070*
312071*
312077
312085*
312087
31407*
314085
314086
314087
315070*
315071*
315085
315086
316010
316020
<1.22.2 CVE-2020-35683
CVE-2020-35684
CVE-2020-35685
CVE-2021-31400
CVE-2021-31401
PNOZ m B1 772101 < v1.8 CVE-2020-35683
CVE-2020-35684
CVE-2020-35685
PNOZ m ES ETH 772130 < v1.2 CVE-2020-35683
CVE-2020-35684
CVE-2020-35685
PNOZ mmc1p ETH 772030 all versions CVE-2020-35683
CVE-2020-35684
CVE-2020-35685
Base-Device PNOZ mxp ETH
(PNOZmulti Classic)

773103
773104*
773113
773116
773123
7731260

all versions CVE-2020-35683
CVE-2020-35684
CVE-2020-35685

* affects all variants of the listed order number

Summary

Multiple products of PILZ utilise a third-party TCP/IP implementation - the "Niche Ethernet Stack". This TCP/IP stack contains multiple vulnerabilities which are therefore affecting the products listed above.

Vulnerabilities



Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, ...

Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1. The TCP header processing code doesn't sanitize the value of the IP total length field (header length ...

Weakness
Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)
Summary

An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. The TCP out-of-band urgent-data processing function invokes a panic function if the pointer to the end of ...

Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to ...

Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses ICMP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to ...

Impact

The vulnerabilities allow a remote attacker to:

  • trigger a reboot of the device and thus creating a Denial-of-Service situation
  • hijack a TCP connection

Solution

Product
PSSu-Module for decentralised E/A-System see Mitigation
PSSu-Module for PSS 4000 upgrade firmware to 1.22.2 *
PNOZ m B1 see Mitigation **
PNOZ m ES ETH see Mitigation **
PNOZ mmc1p ETH see Mitigation
Base-Device PNOZ mxp ETH
(PNOZmulti Classic)
see Mitigation

* CVE-2020-35685 will not be addressed in this update b/c it has no affect on the security level of the used services and their protocols MODBUS/TCP and RAW-TCP. 
** These products are not updateable in the field. They use a fixed firmware pre-installed by the manufacturer.

Mitigation

It is adviced to use firewalls or similar network security devices to prevent unauthorized network communication to the products affected.

Reported by

This vulnerability was discovered and reported by Forescout Technologies, Inc.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PILZ thanks CERT@VDE for the coordination and support with this publication.