Headline
CVE-2020-12525: VDE-2020-038 | CERT@VDE
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
2021-01-04 14:01 (CET) VDE-2020-038
Pepperl+Fuchs: Multiple vulnerabilites in Comtrol IO-Link Master. Affected versions <= 1.5.48
Share: Email | Twitter
**
Published
**
2021-01-04 14:01 (CET)
**
Last update
**
2021-11-11 08:36 (CET)
Vendor(s)
Pepperl+Fuchs SE
Product(s)
Article No°
Product Name
Affected Version(s)
IO-Link Master 4-EIP
<= v1.5.48
IO-Link Master 4-PNIO
<= v1.5.48
IO-Link Master 8-EIP
<= v1.5.48
IO-Link Master 8-EIP-L
<= v1.5.48
IO-Link Master 8-PNIO
<= v1.5.48
IO-Link Master 8-PNIO-L
<= v1.5.48
IO-Link Master DR-8-EIP
<= v1.5.48
IO-Link Master DR-8-EIP-P
<= v1.5.48
IO-Link Master DR-8-EIP-T
<= v1.5.48
IO-Link Master DR-8-PNIO
<= v1.5.48
IO-Link Master DR-8-PNIO-P
<= v1.5.48
IO-Link Master DR-8-PNIO-T
<= v1.5.48
**
Summary
**
Several vulnerabilities exist within firmware versions up to and including v1.5.48.
**
Vulnerabilities
**
Weakness
Cross-Site Request Forgery (CSRF) (CWE-352)
Summary
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.
Weakness
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78)
Summary
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
Summary
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak …
Summary
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client …
Weakness
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)
Summary
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
Summary
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
**
Impact
**
Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.
**
Solution
**
In order to prevent the exploitation of the reported vulnerabilities, we recommend that the
affected units be updated with the following three firmware packages:
- U-Boot bootloader version 1.36 or newer
- System image version 1.52 or newer
- Application base version 1.6.11 or newer
Furthermore, it is always recommended to observe the following measures if the affected
products are connected to public networks:
- An external protective measure to be put in place.
Traffic from untrusted networks to the device should be blocked by a firewall.
Especially traffic targeting the administration webpage. - Device user accounts to be enabled with secure passwords.
If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.
**
Reported by
**
T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.
CERT@VDE coordinated and provided the CVE IDs.