Share: Email | Twitter

ID

VDE-2020-038

Published

2021-01-04 14:01 (CET)

Last update

2021-01-04 14:01 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No┬░ Product Name Affected Version(s)
IO-Link Master 4-EIP <= v1.5.48
IO-Link Master 4-PNIO <= v1.5.48
IO-Link Master 8-EIP <= v1.5.48
IO-Link Master 8-EIP-L <= v1.5.48
IO-Link Master 8-PNIO <= v1.5.48
IO-Link Master 8-PNIO-L <= v1.5.48
IO-Link Master DR-8-EIP <= v1.5.48
IO-Link Master DR-8-EIP-P <= v1.5.48
IO-Link Master DR-8-EIP-T <= v1.5.48
IO-Link Master DR-8-PNIO <= v1.5.48
IO-Link Master DR-8-PNIO-P <= v1.5.48
IO-Link Master DR-8-PNIO-T <= v1.5.48

Summary

Several vulnerabilities exist within firmware versions up to and including v1.5.48.

Vulnerabilities



Last Update
March 4, 2021, 8:39 a.m.
Weakness
Cross-Site Request Forgery (CSRF) (CWE-352)
Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.

Last Update
March 4, 2021, 8:40 a.m.
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.

Last Update
March 4, 2021, 9:21 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.

Last Update
March 4, 2021, 9:21 a.m.
Weakness
Key Management Errors (CWE-320)
Summary

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

Last Update
March 4, 2021, 8:39 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting

Last Update
March 4, 2021, 9:21 a.m.
Weakness
NULL Pointer Dereference (CWE-476)
Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Solution

In order to prevent the exploitation of the reported vulnerabilities, we recommend that the
affected units be updated with the following three firmware packages:

  • U-Boot bootloader version 1.36 or newer
  • System image version 1.52 or newer
  • Application base version 1.6.11 or newer

Furthermore, it is always recommended to observe the following measures if the affected
products are connected to public networks:

  1. An external protective measure to be put in place.
    Traffic from untrusted networks to the device should be blocked by a firewall.
    Especially traffic targeting the administration webpage.
  2. Device user accounts to be enabled with secure passwords.
    If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.

Reported by

T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.

CERT@VDE coordinated and provided the CVE IDs.