Researchers discovered several potentially serious vulnerabilities in Pepperl+Fuchs Comtrol’s RocketLinx industrial switches, including ones that can be exploited to take complete control of devices.
The flaws were disclosed this week by SEC Consult, the Austria-based cybersecurity consultancy whose researchers found the issues. The German industrial automation solutions provider also published advisories this week to inform customers about patches and workarounds.
A total of five types of vulnerabilities were discovered, and Pepperl+Fuchs says they can be exploited to gain access to impacted switches, execute commands, and obtain information.
The flaws have been assigned the CVE identifiers CVE-2020-12500 through CVE-2020-12504. Three of them are considered critical and two have been rated high severity.
SEC Consult told SecurityWeek that exploitation of the vulnerabilities requires network access to the targeted switch — no permissions are needed on the device itself. Some of the vulnerabilities, either chained or on their own, can allow an attacker to take complete control of a targeted industrial switch.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
One of the critical flaws allows an unauthenticated attacker to make changes to the device’s configuration, including to modify network settings, upload configuration files, and upload firmware and bootloader files. The vulnerability can also be exploited to cause a device to enter a DoS condition that can only be fixed by pressing the reset button on the switch and reconfiguring it.
Another critical vulnerability is related to the existence of multiple backdoor accounts, but the vendor says some of them are read-only.
The third critical issue is related to the TFTP service, which is used for uploading and downloading firmware, bootloader and configuration files.
“This TFTP server can be abused to read all files from the system as the daemon runs as root which results in a password hash exposure via the file /etc/passwd. Write access is restricted to certain files (configuration, certificates, boot loader, firmware upgrade) though,” SEC Consult explained in its advisory. “By uploading malicious Quagga config-files an attacker can modify e.g. IP-settings of the device. Malicious firmware and bootloader uploads are possible too.
All of the security holes impact several RocketLinx ES switches, and three of them only affect some ICRL switches.”
Researchers also identified multiple command injection vulnerabilities, and while their exploitation requires authentication, the lack of cross-site request forgery (CSRF) protections makes it possible for an attacker to conduct activities on behalf of an authenticated user by convincing them to click on a malicious link.
SEC Consult pointed out that the vulnerabilities are actually in firmware provided to Pepperl+Fuchs by a third party, which has not been named by SEC Consult. The vulnerabilities were reported by SEC Consult through Germany’s CERT@VDE in April, and while Pepperl+Fuchs addressed them, it seemed until recently that the OEM would not take any action. However, SEC Consult told SecurityWeek that it finally received a response from the company shortly after making its advisory public.
SEC Consult typically publishes proof-of-concept (PoC) code in its advisories, but this time it refrained from doing so due to the lack of patches from the OEM.
Related: Pepperl+Fuchs HMIs Vulnerable to Meltdown, Spectre Attacks
Related: ICS Vendors Release Advisories for CodeMeter Vulnerabilities