The affected products contain a CODESYS Control runtime system in version V2. They are therefore affected by the
vulnerability described in CODESYS Advisory 2021-06. It provides a communication server for the communication with clients like the CODESYS Development System.

The 9400 servo inverters is only affected if the communication Path via the inserted EtherNet Module E94AYCEN on slot MXI1 or MXI2 is used. If the Module E94AYCEN is used, the following Versions are affected.

Product Identification: E94xSHxxx (Single Drive, High Line)
Product Identification: E94xMHxxx (Multi Drive, High Line)

Remark: If the product identification of your 9400 product does not fit to the above mentioned identification, please contact Lenze at Security.de@Lenze.com.

The Versions P (power supply module) and R (regenerative power supply module) are not affected. Furthermore, the Variant P (PLC) and the Variant S (StateLine) are not affected. The communication paths via the diagnostic interface X6, the system bus (CAN) X1 or the field buses (other than the named Ethernet module) that can be plugged into the module slots MXI1 or MXI2 are not affected.

The focus is therefore on 9400 servo inverters with the product-identification E94x{S/M}{H}... with a plugged in Ethernet module E94AYCEN... in module slot MXI1 or MXI2 and communication with the Engineer-Tools via exactly this channel.

In addition to the standard tool Engineer, there is also a special Version of the PLC Designer (Version 0.x). The communication path to the PLC Designer is not considered with the planned update and the vulnerabilities here remain even after the update. Here, the customer must provide a secure Environment, see Mitigation.

A crafted request may cause a heap-based, a stack-based buffer overflow or a buffer over-read in the affected products, resulting in a denial-of-service condition or being utilized for remote code execution.

The crafted requests are only processed on the products, if no online password is configured on the products or if the attacker has previously successfully authenticated himself at the affected products.

Mitigation

As part of a security strategy, Lenze SE recommends the following general defense measures to reduce the risk of exploits:

• Only use the products in a protected and controlled environment to minimize network impact and to ensure that they are inaccessible from outside.
•  Use firewalls to protect the automation system network and to separate it from other networks.

Remark: One Measure should be to Block port 1200 via the firewall and open this port for authenticated access only.

• Use Virtual Private Networks (VPN) tunnels when remote access is required.
• Use IDS (Intrusion Detection Systems) where possible to detect anomalies in the network.
• Activate and use user administration and password functions.
• Use encrypted communication links.
• Restrict access to both the development tools and their projects and the products of the automation system by physical means, operating system functions, etc.
• Protect the development tool by using the latest virus detection solutions.

Solution / Updates

The affected products

• Embedded Line EL 1800-9800
• Command Station CS 5800-9800
• Control Cabinet PC 2800
• EL100 PLC

are at the end of life and are no longer available. A further development or adaption of the
products is no longer planned and no longer possible from the process of discontinuation.

The affected product

• 9400 servo inverters

in the constellation described above will be revised in the next product release. An update is
planned for Q2 2022.

Reported by Yossi Reuven of SCADAfence, Anton Dorfman, Denis Goryushev and Sergey Fedonin of Positive Technologies.

Coordinated by CERT@VDE

Lenze SE thanks for reporting following coordinated disclosure. This helps us to improve our products and to protect customers and users