Share: Email | Twitter

ID

VDE-2021-009

Published

2021-09-20 13:56 (CEST)

Last update

2021-09-20 13:56 (CEST)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
773103 Base-Device PNOZ mxp ETH (PNOZmulti Classic) all versions
773104* Base-Device PNOZ mxp ETH (PNOZmulti Classic) all versions
773113 Base-Device PNOZ mxp ETH (PNOZmulti Classic) all versions
773116 Base-Device PNOZ mxp ETH (PNOZmulti Classic) all versions
773123 Base-Device PNOZ mxp ETH (PNOZmulti Classic) all versions
7731260 Base-Device PNOZ mxp ETH (PNOZmulti Classic) all versions
316020 PNOZ m B1 < v1.8
316020 PNOZ m ES ETH < v1.2
316020 PNOZ mmc1p ETH all versions
312041 PSSu-Module for decentralised E/A-System all versions
312042 PSSu-Module for decentralised E/A-System all versions
312043 PSSu-Module for decentralised E/A-System all versions
31206* PSSu-Module for PSS 4000 < 1.22.2
312070* PSSu-Module for PSS 4000 < 1.22.2
312071* PSSu-Module for PSS 4000 < 1.22.2
312077 PSSu-Module for PSS 4000 < 1.22.2
312085* PSSu-Module for PSS 4000 < 1.22.2
312087 PSSu-Module for PSS 4000 < 1.22.2
31407* PSSu-Module for PSS 4000 < 1.22.2
314085 PSSu-Module for PSS 4000 < 1.22.2
314086 PSSu-Module for PSS 4000 < 1.22.2
314087 PSSu-Module for PSS 4000 < 1.22.2
315070* PSSu-Module for PSS 4000 < 1.22.2
315071* PSSu-Module for PSS 4000 < 1.22.2
315085 PSSu-Module for PSS 4000 < 1.22.2
315086 PSSu-Module for PSS 4000 < 1.22.2
316010 PSSu-Module for PSS 4000 < 1.22.2
316020 PSSu-Module for PSS 4000 < 1.22.2

Summary

Multiple products of PILZ utilise a third-party TCP/IP implementation - the "Niche Ethernet Stack". This TCP/IP stack contains multiple vulnerabilities which are therefore affecting the products listed above.

Vulnerabilities



Last Update
Sept. 7, 2021, 12:10 p.m.
Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)

Last Update
Sept. 7, 2021, 12:09 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1. The TCP header processing code doesn't sanitize the value of the IP total length field (header length + data length). With a crafted IP packet, an integer overflow occurs whenever the value of the IP data length is calculated by subtracting the length of the header from the total length of the IP packet.

Last Update
Sept. 7, 2021, 12:09 p.m.
Weakness
Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)
Summary

An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. The TCP out-of-band urgent-data processing function invokes a panic function if the pointer to the end of the out-of-band data points outside of the TCP segment's data. If the panic function hadn't a trap invocation removed, it will enter an infinite loop and therefore cause DoS (continuous loop or a device reset).

Last Update
Sept. 7, 2021, 12:10 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the length of the TCP payload within the TCP checksum computation function. When the IP payload size is set to be smaller than the size of the IP header, the TCP checksum computation function may read out of bounds (a low-impact write-out-of-bounds is also possible).

Last Update
Sept. 7, 2021, 12:10 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses ICMP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the ICMP checksum. When the IP payload size is set to be smaller than the size of the IP header, the ICMP checksum computation function may read out of bounds, causing a Denial-of-Service.

Impact

The vulnerabilities allow a remote attacker to:

  • trigger a reboot of the device and thus creating a Denial-of-Service situation
  • hijack a TCP connection
Product Affected by
PSSu-Module for decentralised E/A-System

CVE-2020-35683, CVE-2020-35684, CVE-2020-35685,
CVE-2021-31400, CVE-2021-31401

PSSu-Module for PSS 4000 CVE-2020-35683, CVE-2020-35684CVE-2020-35685
CVE-2021-31400CVE-2021-31401
PNOZ m B1 CVE-2020-35683CVE-2020-35684CVE-2020-35685
PNOZ m ES ETH CVE-2020-35683CVE-2020-35684CVE-2020-35685
PNOZ mmc1p ETH CVE-2020-35683CVE-2020-35684CVE-2020-35685
Base-Device PNOZ mxp ETH
(PNOZmulti Classic)
CVE-2020-35683CVE-2020-35684CVE-2020-35685

Solution

Product
PSSu-Module for decentralised E/A-System see Mitigation
PSSu-Module for PSS 4000 upgrade firmware to 1.22.2 *
PNOZ m B1 see Mitigation **
PNOZ m ES ETH see Mitigation **
PNOZ mmc1p ETH see Mitigation
Base-Device PNOZ mxp ETH
(PNOZmulti Classic)
see Mitigation

* CVE-2020-35685 will not be addressed in this update b/c it has no affect on the security level of the used services and their protocols MODBUS/TCP and RAW-TCP. 
** These products are not updateable in the field. They use a fixed firmware pre-installed by the manufacturer.

Mitigation

It is adviced to use firewalls or similar network security devices to prevent unauthorized network communication to the products affected.

Reported by

This vulnerability was discovered and reported by Forescout Technologies, Inc.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PILZ thanks CERT@VDE for the coordination and support with this publication.