Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3079: VDE-2022-036 | CERT@VDE

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

CVE
#web#dos#auth

2022-09-20 12:00 (CEST) VDE-2022-036

Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function
Share: Email | Twitter

Published

2022-09-20 12:00 (CEST)

Last update

2022-09-20 11:13 (CEST)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No°

Product Name

Affected Version(s)

567347

Control block CPX-CEC-C1

<= 2.0.12

555667

Control block CPX-CMXX

<= 1.2.34 rev.404

Summary

Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service of the device.

CVE ID

Severity

Weakness

Improper Privilege Management (CWE-269)

Summary

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

Source

Impact

CPX-CEC-C1 and CPX-CMXX allow unauthenticated access to critical webpage functions (e.g. reboot) which may cause a denial of service of the device

Solution

Remediation

Currently no fix is planned.

Replace CPX-CEC-C1 with follow-up product CPX-CEC-C1-V3.

Replace CPX-CMXX with follow up product CPX-CEC-M1-V3.

General recommendations

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Use encrypted communication links
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detecting solutions

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.

Reported by

Festo SE & Co. KG thanks the following parties for their efforts:

  • CERT@VDE for coordination and support with this publication
  • Daniel dos Santos, Rob Hulsebos from Forescout for reporting to Festo

Related news

3 New Vulnerabilities Affect OT Products from German Festo and CODESYS Companies

Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907