Share: Email | Twitter

ID

VDE-2021-010

Published

2021-05-18 11:00 (CEST)

Last update

2021-07-07 11:03 (CEST)

Vendor(s)

ENDRESS+HAUSER

Product(s)

Proline portfolio is a flow meter with an optional WLAN interface in the display. The flowmeters are only affected if the optional WLAN display is present.

Order Code Product Name Affected Versions
8x3B, 8x5B Promass 300/500
  • with HART
<= 01.01.02
  • with EtherNet/IP
  • with MODBUS
<= 01.00.02
  • with PROFINET
<= 01.00.01
  • with Foundation Fieldbus
  • with Profibus PA
<= 01.00.03
8X3BXX-, 8X5BXX-, 8A3CXX-, 8A5CXX Spare transmitter Depends on the communication protocol (see above)
XPD0031-***G00 Spare display ≤ 01.01.00
5x3B, 5x5B Promag 300/500
  • with HART
<= 01.01.01
  • with EtherNet/IP
  • with MODBUS
<= 01.00.02
  • with PROFINET
<= 01.00.01
  • with Foundation Fieldbus
  • with Profibus PA
<= 01.00.03
5X3BXX-, 5X5BXX Spare transmitter Depends on the communication protocol (see above)
XPD0031-***G00 Spare display <= 01.01.00
5x4C Promag 400
  • with HART
<= 02.00.01
5X4CXX- Spare transmitter <= 02.00.01
XPD0017-2 Spare display <= 01.01.00

Summary

Endress+Hauser products utilizing WPA2 are vulnerable to KRACK attacks

Vulnerabilities



Weakness
7PK - Security Features (CWE-254)
Summary
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, ...
Weakness
7PK - Security Features (CWE-254)
Summary
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points ...
Weakness
7PK - Security Features (CWE-254)
Summary
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access ...

Impact

The feasibility of modifying the configuration of the device depends on the configuration settings regarding the used protocol (for example: OPC UA, http) to communicate via WLAN.

  • Access to operator network via device isn't possible because bridging in the device isn't supported.
  • The WLAN passphrase isn't readable.
  • Via OPC UA: read/write data access isn't possible if encryption is activated.
  • Via Webserver and CDI-RJ45: read data is possible. Write data isn't possible if individual password is used.

Solution

General Security Recommendations

As a general security measure Endress+Hauser strongly recommends protecting network access to the WLAN network with appropriate mechanisms. It is advised to configure the environment according to best practices to run the devices in a protected IT environment. Further general recommendations apply for the affected products:

  • Activate encryption for OPC UA
  • For Webserver and CDI-RJ45: Change device default password to individual password
  • For WLAN: Change WLAN default password to individual WLAN password

Temporary Fix/ Mitigation

If an immediate firmware update is not possible, the WLAN on the unit can also be switched off as a precautionary measure.

Remediation

Endress+Hauser provides updated firmware versions for all related products from the Proline portfolio which fixes the vulnerability and recommends customers to update to the new fixed version. For support, please contact your local service center.

Reported by

Mathy Vanhoef of imec-DistriNet, KU Leuven published this vulnerability on https://www.krackattacks.com

Coordinated by CERT@VDE