Share: Email | Twitter

ID

VDE-2020-053

Published

2021-03-08 14:44 (CET)

Last update

2021-03-08 14:44 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
ICRL-M-16RJ45/4CP-G-DIN <= 1.3.1
ICRL-M-8RJ45/4SFP-G-DIN <= 1.3.1

Summary

Several critical vulnerabilities within firmware.

Vulnerabilities



Last Update
Oct. 8, 2020, 8:13 a.m.
Weakness
Hidden Functionality (CWE-912)
Summary
Active TFTP-Service
Last Update
Oct. 8, 2020, 8:12 a.m.
Weakness
Cross-Site Request Forgery (CSRF) (CWE-352)
Summary

Unauthenticated Device Administration

Last Update
Oct. 8, 2020, 8:13 a.m.
Weakness
Improper Input Validation (CWE-20)
Summary

Multiple Authenticated Command Injections

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and execute any program and tap information.

Solution

For vulnerability CVE-2020-12502 “Cross-Site Request Forgery (CSRF)”, CVE-2020- 12503 “Multiple Authenticated Command Injections” and CVE-2020-12504 “Active TFTP- Service”

  1. Update following products to the respective Firmware Version:
    Product ID Firmware Version
    ICRL-M-8RJ45/4SFP-G-DIN 1.4.0
    ICRL-M-16RJ45/4CP-G-DIN
  2. Deactivate TFTP-Service

Reported by

T. Weber (SEC Consult Vulnerability Lab) https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

Coordinated by CERT@VDE