Beckhoff: EtherLeak in TwinCAT RT network driver

Beckhoff’s TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames.

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates. 

An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.

 An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.

WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.

The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.

FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices are affected by a buffer overflow vulnerability within the PPP service.

The PPP service is not active by default, but is used commonly at TC ROUTER, TC CLOUD CLIENT.
It is also running in the following FL MGUARD and TC MGUARD configurations:

• Mobile data connection
• Router mode “Modem”
• Router mode “PPPoE”
• L2TP over IPsec

Malicious PPP peers could try to exploit the vulnerability from remote.


By Vendor




(Scoring for CVSS 2.0,3.0+3.1)
No CVE available
0.1 <= 3.9
4.0 <= 6.9
7.0 <= 8.9
9.0 <= 10.0