PEPPERL+FUCHS: Multiple vulnerabilites in ICE1 Ethernet IO Modules

Critical vulnerability has been discovered in the utilized components rcX, mbedTLS, PROFINET IO Device and EtherNet/IP Core by Hilscher Gesellschaft für Systemautomation mbH. The impact of the vulnerabilities on the affected device is that it can result in a * denial of service * remote code execution * code exposure

VDE-2021-018 (2021-05-12 08:28 UTC+0200)

CVE Identifier

CVE-2021-20987

Affected Vendors

PEPPERL+FUCHS

Affected Products

Item No. Title FW Version Affected by
295311 ICE1-16DI-G60L-V1D <=F10017 all
308627 ICE1-16DIO-G60L-C1-V1D
308626 ICE1-16DIO-G60L-V1D
295314 ICE1-8DI8DO-G60L-C1-V1D
295312 ICE1-8DI8DO-G60L-V1D
70101643 ICE1-8IOL-G30L-V1D
295313 ICE1-8IOL-G60L-V1D
70103603 ICE1-8IOL-S2-G60L-V1D CVE-2019-18222
CVE-2021-20988
CVE-2021-20987

Summary

Critical vulnerability has been discovered in the utilized components rcX, mbedTLS, PROFINET IO Device and EtherNet/IP Core by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerabilities on the affected device is that it can result in:

  • Denial of Service (DoS)
  • Remote Code Execution (RCE)
  • Code Exposure

Vulnerabilities

CVE-2021-20987 - EtherNet/IP stack crash for specific CIP service
Hilscher: 2019-08-08
CWE: 787 - Out-of-bounds Write
CVSS: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description: A denial of service and memory corruption vulnerability could exist in Hilscher's EtherNet/IP Core V2 that could allow arbitrary code to be injected through the network or make the EtherNet/IP device crash without recovery. (EIP Adapter)

CVE-2021-20988 - Wrong handling of the UDP checksum
Hilscher: 2019-04-10
CWE: 119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
Description: The actual UDP packet length is not verified against the length indicated by the packet (IP-Header)(rcX).

CVE-2021-20986 - Denial of Service vulnerability in PROFINET IO Device
Hilscher: 2020-012-03
CWE: 787 - Out-of-bounds Write
CVSS: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: When handling Read Implicit Request services, depending on the content of the request, the Hilscher PROFINET IO Device V3 protocol stack does not properly limit available resources. This may lead to shortage of resources which in the end may lead to a Denial Of Service. (PN device)

CVE-2019-18222 - Side channel vulnerability of ECDSA key generation
Hilscher: 2020-04-28
CWE: 200 - Exposure of Sensitive Information to an Unauthorized Actor
CVSS: 4.7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Description: The current implementation of ECC key generation allows an attacker to recover the private key.(mbedTLS)

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit the vulnerability sending specially crafted packages that may result in a denial-of-service condition or code execution.

Solution

An external protective measure is required.

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
  • Isolate affected products from the corporate network.
  • If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Hilscher Gesellschaft für Systemautomation mbH Coordinated by CERT@VDE