Share: Email | Twitter

ID

VDE-2021-059

Published

2022-01-11 08:00 (CET)

Last update

2022-01-11 08:05 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
5147999 BLUEMARK CLED all versions
5147888 BLUEMARK LED all versions
5147777 BLUEMARK X1 all versions

Summary

The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED.

The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities.

Vulnerabilities



Weakness
Improper Null Termination (CWE-170)
Summary

The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is
NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-ofbound ...

Source
cert-portal.siemens.com 
Weakness
Improper Validation of Specified Quantity in Input (CWE-1284)
Summary

The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various
side effects, including Information Leak and Denial-of-Service conditions, depending on the network
buffer ...

Source
cert-portal.siemens.com 
Weakness
Integer Underflow (Wrap or Wraparound) (CWE-191)
Summary

Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-ofService conditions.

Source
cert-portal.siemens.com 
Weakness
Improper Handling of Inconsistent Structural Elements (CWE-240)
Summary

The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side
effects, including Information Leak and Denial-of-Service conditions, depending on the network ...

Source
cert-portal.siemens.com 
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

When processing a DHCP ACK message, the DHCP client application does not validate the length of
the Vendor option(s), leading to Denial-of-Service conditions.

Source
cert-portal.siemens.com 
Weakness
Out-of-bounds Read (CWE-125)
Summary

When processing a DHCP OFFER message, the DHCP client application does not validate the length
of the Vendor option(s), leading to Denial-of-Service conditions.

Source
cert-portal.siemens.com 
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

The DHCP client application does not validate the length of the Domain Name Server IP option(s)
(0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. 

Source
cert-portal.siemens.com 
Weakness
Access of Resource Using Incompatible Type (‘Type Confusion’) (CWE-843)
Summary

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) ...

Source
cert-portal.siemens.com 

Impact

BLUEMARK X1 / LED / CLED printers that are only operated via USB interface are not affected.

In the following, the known security vulnerabilities with the possible effects are described if the BLUEMARK X1 / LED / CLED is operated via network. This means that the effects listed below can only occur if these conditions exist. Please refer to the mitigation section for additional protective measures.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection

Reported by

This vulnerability was discovered and reported to Siemens by Yuval Halaban, Uriel Malin, and Tal Zohar from Medigate and Daniel dos Santos, Amine Amri, and Stanislav Dashevskyi from Forescout Technologies

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

CERT@VDE coordinated with PHOENIX CONTACT.