Headline
CVE-2022-3079: VDE-2022-036 | CERT@VDE
Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.
2022-09-20 12:00 (CEST) VDE-2022-036
Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function
Share: Email | Twitter
Published
2022-09-20 12:00 (CEST)
Last update
2022-09-20 11:13 (CEST)
Vendor(s)
Festo SE & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
567347
Control block CPX-CEC-C1
<= 2.0.12
555667
Control block CPX-CMXX
<= 1.2.34 rev.404
Summary
Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service of the device.
CVE ID
Severity
Weakness
Improper Privilege Management (CWE-269)
Summary
Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.
Source
Impact
CPX-CEC-C1 and CPX-CMXX allow unauthenticated access to critical webpage functions (e.g. reboot) which may cause a denial of service of the device
Solution
Remediation
Currently no fix is planned.
Replace CPX-CEC-C1 with follow-up product CPX-CEC-C1-V3.
Replace CPX-CMXX with follow up product CPX-CEC-M1-V3.
General recommendations
As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:
- Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
- Use firewalls to protect and separate the control system network from other networks
- Use VPN (Virtual Private Networks) tunnels if remote access is required
- Activate and apply user management and password features
- Use encrypted communication links
- Limit the access to both development and control system by physical means, operating system features, etc.
- Protect both development and control system by using up to date virus detecting solutions
Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.
Reported by
Festo SE & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination and support with this publication
- Daniel dos Santos, Rob Hulsebos from Forescout for reporting to Festo
Related news
Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an