Share: Email | Twitter

ID

VDE-2021-041

Published

2021-10-26 09:07 (CEST)

Last update

2021-10-26 09:15 (CEST)

Vendor(s)

PEPPERL+FUCHS

Product(s)

Affected DTM products

Item Version DTM / Component DTM / Component Version
Emerson Integration Package N/A

ADM Project Builder Emerson

AMS Alert Adapter

<= 1.1.3.1463
Diagnostic Manager 2.0.0.1177 - 2.2.2.3478 All contained DTMs 2.0.0.1177 - 2.2.2.3478
FieldConnex Diagnostic Gateway FF DTM <= 2.2.2.3478 All contained DTMs <= 2.2.2.3478
FDH-1 Manager <= 1.0.1.1022 N/A N/A
ABB Project Builder <= 1.1.1.1122 N/A N/A
DTM Collection HART-Multiplexer <= 2.0.0.130 All contained DTMs N/A
TMI-FF DTM <= 2.6.3.10 All contained DTMs N/A
HART DTM Library Enhanced used
with PS3500-DM
<= 2.4.11.59 All contained DTMs N/A
DTM used with S1SD-1TI-1U N/A P+F DTMLibrary Modbus V2.3.68
DTM Library HART used with 6500 Series <= 2.4.11.59 All contained DTMs N/A
DTM Collection Level Control Technology used
with Level Radar LCR20, LTC50, LTC51, LRC57
<=1.0.31 All contained DTMs N/A
DTM Collection WirelessHART <= 1.0.2.4 All contained DTMs N/A


Affected VisuNet products

Item Version
VisuNet RM Shell <= 5.5.0
VisuNet Factory Reset 5.x
VisuNet Factory Reset <= 6.1.0
VisuNet Control Center <= 4.7.1
VisuNet GXP PC Service Tool <= 1.1.0

Summary

Critical vulnerabilities have been discovered in the utilized component log4net by Apache Software Foundation.


Weakness

Improper Restriction of XML External Entity Reference  (CWE-611) 

Summary

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.


Impact

Pepperl+Fuchs analyzed and identified affected devices.
In table “Affected products” packages are listed next to some products, this means that the products are only affected if the corresponding software is installed since the package implements the vulnerability.

To exploit the vulnerability, the access rights of an authorized user or admin are required. 

The impact of the vulnerability on the affected products may result in

  • Denial of Service
  • Loss of Credentials
  • Code Execution

The CVSS environmental score is specific to the customer's environment and should therefore be individually assessed by the customer to accomplish final scoring.

The original CVE refers to a network access scenario. With our products, it is a local access scenario. For this reason, the risk of exploiting this vulnerability is reduced.

Solution

Mitigation

External countermeasures are needed for the remaining products.
The following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM:

  • Restrict local access to the device, PC/Server and use user authentication to prevent unauthorized access.

Remediation

The following affected DTM products can be updated to the listed version:

Item Version
FieldConnex DTM Collection 1.7.1.2159
Diagnostic Manager 2.2.3.3527
FieldConnex Diagnostic Gateway FF DTM 2.2.3.3527
FDH-1 Manager 1.0.2.1049
ABB Project Builder 1.1.2.1134
Honeywell Integration Package 1.1.3.0
Emerson Integration Package
[ADM Project Builder Emerson]
1.1.4.1474
Emerson Integration Package [AMS Alert Adapter] 1.1.3.72
DTM Collection HART-Multiplexer 2.0.1.208

Reported by

CodeWrights GmbH reported this vulnerability to PEPPERL+FUCHS.
CERT@VDE coordinated with PEPPERL+FUCHS.