Share: Email | Twitter

ID

VDE-2022-020

Published

2022-07-06 09:00 (CEST)

Last update

2022-07-06 09:23 (CEST)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
4407603 Controller CECC-X-M1 <= 3.8.14
8124922 Controller CECC-X-M1 = 4.0.14
4407605 Controller CECC-X-M1-MV <= 3.8.14
8124923 Controller CECC-X-M1-MV = 4.0.14
4407606 Controller CECC-X-M1-MV-S1 <= 3.8.14
8124924 Controller CECC-X-M1-MV-S1 = 4.0.14
8082793 Controller CECC-X-M1-YS-L1 <= 3.8.14
8082794 Controller CECC-X-M1-YS-L2 <= 3.8.14
4803891 Controller CECC-X-M1-Y-YJKP <= 3.8.14
8077950 Servo Press Kit YJKP <= 3.8.14
8058596 Servo Press Kit YJKP- <= 3.8.14

Summary

The Festo controller CECC-X-M1 product family in multiple versions are affected by a preauthentication command injection vulnerability.

Update A, 2022-07-05

Remediation has been updated. Fixed firmwares are now available.

Vulnerabilities



Weakness
OS Command Injection (CWE-78)
Summary

In Festo Controller CECC-X-M1 product family, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to ...

Weakness
OS Command Injection (CWE-78)
Summary

In Festo Controller CECC-X-M1 product family, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to ...

Weakness
OS Command Injection (CWE-78)
Summary

In Festo Controller CECC-X-M1 product family, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to ...

Weakness
OS Command Injection (CWE-78)
Summary

In Festo Controller CECC-X-M1 product family, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to ...

Impact

Any person who is able to gain access to the webserver would be able to run arbitrary system commands on the device with root privileges.

Solution

General recommendation

Currently, Festo has not identified any specific workarounds for this vulnerability. As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Use encrypted communication links
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detecting solutions

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes. For a secure operation follow the recommendations in the product manuals.

Remediation

Please update to firmware versions as described below:

Product Product Details Fixed in version
Controller CECC-X-M1 Festo:Partnumber:4407603
Festo:Ordercode:CECC-X-M1
>= 3.8.18
Controller CECC-X-M1 Festo:Partnumber:8124922
Festo:Ordercode:CECC-X-M1
>= 4.0.18
Controller CECC-X-M1-MV Festo:Partnumber:4407605
Festo:Ordercode:CECC-X-M1-
MV
>= 3.8.18
Controller CECC-X-M1-MV Festo:Partnumber:8124923
Festo:Ordercode:CECC-X-M1-
MV
>= 4.0.18
Controller CECC-X-M1-MVS1 Festo:Partnumber:4407606
Festo:Ordercode:CECC-X-M1-
MV-S1
>= 3.8.18
Controller CECC-X-M1-MVS1 Festo:Partnumber:8124924
Festo:Ordercode:CECC-X-M1-
MV-S1
>= 4.0.18
Controller CECC-X-M1-YYJKP Festo:Partnumber:4803891
Festo:Ordercode:CECC-X-M1-YYJKP
>= 3.8.18
Controller CECC-X-M1-YSL1 Festo:Partnumber:8082793
Festo:Ordercode:CECC-X-M1-
YS-L1
>= 3.8.18
Controller CECC-X-M1-YSL2 Festo:Partnumber:8082794
Festo:Ordercode:CECC-X-M1-
YS-L2
>= 3.8.18
Servo Press Kit YJKP Festo:Partnumber:8077950
Festo:Ordercode:YJKP
>= 3.8.18
Servo Press Kit YJKP- Festo:Partnumber:8058596
Festo:Ordercode:YJKP
>= 3.8.18

Reported by

Festo SE & Co. KG thanks the following parties for their efforts:

  • CERT@VDE for coordination and support with this publication
  • Q. Kaiser, M. Illes from ONEKEY Research Labs for reporting to Festo