09 February 2021
Classics: vulnerabilities in web console and third-party components in Pepperl+Fuchs IO-Link-Master gateways
CERT@VDE has published an advisory on multiple vulnerabilities in the Pepperl+Fuchs Comtrol IO-Link Master device family based on the research of T.Weber from SEC Consult. The CVSS v3.1 base scores calculated by CERT@VDE for these vulnerabilities range from Medium (6.6) to High (8.8).
The Pepperl+Fuchs Comtrol IO-Link-Master device series is a family of communication gateways used to interconnect EtherNet/IP, Modbus TCP and Profinet IO devices. These gateways are designed for industrial scenarios and include rugged models used in harsh environments.
The vulnerabilities affect several IO-Link Master 4 and IO-Link Master 8 devices with firmware versions 1.5.48 or earlier. A list of all affected devices can be found in the CERT@VDE advisory.
The first three vulnerabilities are flaws of the device configuration web interface. CVE-2020-12511 (rated 8.8 on the CVSS v3.1 scale) could allow an attacker to carry out a cross-site request forgery attack in order to trick the victim into changing product settings. CVE-2020-12512 (CVSS v3.1 base score 7.5) is a reflected cross-site scripting flaw in the web service that could allow an attacker to steal cookies from an authenticated user in order to login or conduct actions in the context of the user. The vulnerability is in the “/Software” endpoint of the web service. The last of these three, CVE-2020-12513 (CVSS v3.1 base score 7.5) is due to the absence of user input sanitization, making the web interface prone to executing user input as commands by invoking the “exec()” method in the context of the root user. The three vulnerabilities are classical flaws from the OWASP Top Ten list. For devices used in an isolated network environment behind a demilitarized zone, the actual risks associated with the relevant attacks are significantly lower than for devices accessible via the internet. Setting up firewalls and putting in place strict policies with respect to the use of devices from which configuration is performed can serve as sufficient mitigation measures against threats associated with these vulnerabilities.
It is not quite clear whether the same can be said of CVE-2020-12514 (CVSS v3.1 base score 6.6). The discovery daemon (“discoveryd”) is a service which is started at system startup. The service is needed for “PortVision DX”, a network management program. The daemon includes an unsafe function and is vulnerable to DoS attacks, which result in the program crashing due to a NULL pointer dereference issue.
The list also includes two vulnerabilities, CVE-2018-20679 and CVE-2018-0732 (both rated 7.5 on the CVSS v3.1 scale), which have been known for a long time. The former is an out-of-bounds read flaw in the BusyBox utility, which is positioned by its authors as “The Swiss Army Knife of Embedded Linux”. Most likely, its exploitation could lead to a denial-of-service condition. The latter affects the OpenSSL package and can also be exploited remotely in a denial-of-service attack by passing a very large prime value as a parameter for the Diffie-Hellman algorithm. Similarly to the first three vulnerabilities, it can be said with confidence that these vulnerabilities are unlikely to be exploited in an isolated environment. At the same time, they are sufficiently easy to fix, which should be done using the update released by the vendor for affected devices.
The vendor suggests updating affected units with the following packages to fix the vulnerabilities:
- U-Boot bootloader version 1.36 or newer,
- System image version 1.52 or newer,
- Application base version 1.6.11 or newer.
It is also suggested in the advisory that the following best practices be implemented if the devices are reachable from public networks:
- Implementing a firewall to filter traffic from untrusted networks, particularly traffic to the administration webpage.
- Using secure passwords for the three embedded accounts on the device if the network to which it is connected includes untrusted users and/or applications.
Information on the vulnerabilities was published on January 4, 2021