Share: Email | Twitter

ID

VDE-2021-027

Published

2021-08-16 14:00 (CEST)

Last update

2021-09-08 09:33 (CEST)

Vendor(s)

PEPPERL+FUCHS

Product(s)

Item No. Item
217229 WHA-GW-F2D2-0-AS- Z2-ETH
252863 WHA-GW-F2D2-0-AS- Z2-ETH.EIP

Firmware Version Affected by
3.0.7 CVE-2020-11023, CVE-2020-11022, CVE-2020-7656, CVE-2019-11358, CVE-2016-10707, CVE-2015-9251, CVE-2014-6071, CVE-2012-6708, CVE-2011-4969, CVE-2007-2379, CVE-2021-33555, CVE-2021-34559, CVE-2021-34560, CVE-2021-34561, CVE-2021-34565
3.0.8 CVE-2020-11023, CVE-2020-11022, CVE-2020-7656, CVE-2019-11358, CVE-2016-10707, CVE-2015-9251, CVE-2014-6071, CVE-2012-6708, CVE-2011-4969, CVE-2007-2379, CVE-2021-34559, CVE-2021-34560, CVE-2021-34561, CVE-2021-34562, CVE-2021-34563, CVE-2021-34565
3.0.9 CVE-2021-34560, CVE-2021-34563, CVE-2021-34564, CVE-2013-0169, CVE-2021-34565

Summary

Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1.

The impact of the vulnerabilities on the affected device may result in

  • denial of service
  • remote code execution
  • code exposure

Vulnerabilities



CVE-2021-34565
9.8
Severity
9.8 (CVSS:3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Use of Hard-coded Credentials (CWE-798)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.
Source
cert.vde.com 
CVE-2021-33555
7.5
Severity
7.5 (CVSS:3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.7 the filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server.
Source
cert.vde.com 
CVE-2016-10707
7.5
Severity
7.5 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into ...

Source
nvd.nist.gov 
CVE-2021-34561
7.5
Severity
7.5 (CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Weakness
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or ...
Source
cert.vde.com 
CVE-2019-11358
6.1
Severity
6.1 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, ...

Source
nvd.nist.gov 
CVE-2015-9251
6.1
Severity
6.1 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Source
nvd.nist.gov 
CVE-2014-6071
6.1
Severity
6.1 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

Source
nvd.nist.gov 
CVE-2012-6708
6.1
Severity
6.1 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the ...

Source
nvd.nist.gov 
CVE-2020-11023
6.1
Severity
6.1 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containingelements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation ...

Source
nvd.nist.gov 
CVE-2020-11022
6.1
Severity
6.1 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods ...

Source
nvd.nist.gov 
CVE-2020-7656
6.1
Severity
6.1 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "

//
Source
nvd.nist.gov 
CVE-2021-34564
5.5
Severity
5.5 (CVSS:3.1:AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Weakness
Cleartext Storage of Sensitive Information in a Cookie (CWE-315)
Summary
Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the PEPPERL+FUCHS WirelessHART-Gateway 3.0.9.
Source
cert.vde.com 
CVE-2021-34560
5.5
Severity
5.5 (CVSS:3.1:AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Weakness
Information Exposure (CWE-200)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user's computer. ...
Source
cert.vde.com 
CVE-2021-34559
5.4
Severity
5.4 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Weakness
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (CWE-444)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings.
Source
cert.vde.com 
CVE-2021-34562
5.4
Severity
5.4 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Weakness
Cross-site Scripting (XSS) (CWE-79)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 it is possible to inject arbitrary JavaScript into the application's response.
Source
cert.vde.com 
CVE-2007-2379
5.0
Severity
5.0 (CVSS:2.0:AV:N/AC:L/Au:N/C:P/I:N/A:N)
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the ...

Source
nvd.nist.gov 
CVE-2011-4969
4.3
Severity
4.3 (CVSS:2.0:AV:N/AC:M/Au:N/C:N/I:P/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Source
nvd.nist.gov 
CVE-2021-34563
3.3
Severity
3.3 (CVSS:3.1:AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Weakness
Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)
Summary
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript.
Source
cert.vde.com 
CVE-2013-0169
2.6
Severity
2.6 (CVSS:2.0:AV:N/AC:H/Au:N/C:P/I:N/A:N)
Weakness
Cryptographic Issues (CWE-310)
Summary

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on ...

Source
nvd.nist.gov 

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit the vulnerability sending specially crafted packages that may result in a denial-of-service condition or code execution.

Solution

An external protective measure is required.

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
  • Isolate affected products from the corporate network.
  • If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Pepperl+Fuchs
Coordinated by CERT@VDE