CVE-2020-12525: VDE-2020-038 | CERT@VDE

2021-01-04 14:01 (CET) VDE-2020-038

Pepperl+Fuchs: Multiple vulnerabilites in Comtrol IO-Link Master. Affected versions <= 1.5.48
Share: Email | Twitter

**

Published

**

2021-01-04 14:01 (CET)

**

Last update

**

2021-11-11 08:36 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No°

Product Name

Affected Version(s)

IO-Link Master 4-EIP

<= v1.5.48

IO-Link Master 4-PNIO

<= v1.5.48

IO-Link Master 8-EIP

<= v1.5.48

IO-Link Master 8-EIP-L

<= v1.5.48

IO-Link Master 8-PNIO

<= v1.5.48

IO-Link Master 8-PNIO-L

<= v1.5.48

IO-Link Master DR-8-EIP

<= v1.5.48

IO-Link Master DR-8-EIP-P

<= v1.5.48

IO-Link Master DR-8-EIP-T

<= v1.5.48

IO-Link Master DR-8-PNIO

<= v1.5.48

IO-Link Master DR-8-PNIO-P

<= v1.5.48

IO-Link Master DR-8-PNIO-T

<= v1.5.48

**

Summary

**

Several vulnerabilities exist within firmware versions up to and including v1.5.48.

**

Vulnerabilities

**

Weakness

Cross-Site Request Forgery (CSRF) (CWE-352)

Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.

Weakness

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78)

Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.

Summary

An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak …

Summary

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client …

Weakness

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)

Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting

Summary

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd

**

Impact

**

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

**

Solution

**

In order to prevent the exploitation of the reported vulnerabilities, we recommend that the
affected units be updated with the following three firmware packages:

• U-Boot bootloader version 1.36 or newer
• System image version 1.52 or newer
• Application base version 1.6.11 or newer

Furthermore, it is always recommended to observe the following measures if the affected
products are connected to public networks:

1. An external protective measure to be put in place.
   Traffic from untrusted networks to the device should be blocked by a firewall.
   Especially traffic targeting the administration webpage.
2. Device user accounts to be enabled with secure passwords.
   If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.

**

Reported by

**

T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.

CERT@VDE coordinated and provided the CVE IDs.