Several vulnerabilities have been identified in Pepperl+Fuchs Comtrol IO-Link Master industrial gateways, including flaws that researchers claim can be exploited to gain root access to a device and create backdoors.
A researcher at Austria-based cybersecurity consultancy SEC Consult discovered five types of vulnerabilities in Pepperl+Fuchs Comtrol industrial products, including cross-site request forgery (CSRF), reflected cross-site scripting (XSS), blind command injection, and denial-of-service (DoS) issues. The impacted products were found to leverage outdated versions of third-party components that were known to have vulnerabilities, including PHP, OpenSSL, BusyBox, Linux kernel, and lighttpd.
In an advisory published on January 4, Pepperl+Fuchs said the vulnerabilities can allow remote attackers to gain access to the targeted device, execute “any program,” and obtain information.
Johannes Greil, principal security consultant and head of the SEC Consult Vulnerability Lab, told SecurityWeek that if an attacker can gain access to one of the affected Comtrol devices — for example, by using an XSS attack or password guessing — they may be able to execute commands on the device with root privileges and implement persistent backdoors.
IO-Link is an industrial communications protocol used for digital sensors and actuators. Pepperl+Fuchs says its IO-Link Master product line “combines the benefits of the IO-Link standard with the EtherNet/IP and Modbus TCP protocols. The IO-Link Master effectively shields the PLC programmers from the IO-Link complexities by handling those complexities itself.”
The vendor patched the flaws discovered by SEC Consult several months after being informed of their existence. The company said a dozen IO-Link Master products are impacted and urged customers to update the U-Boot bootloader, the system image, and the application base to prevent exploitation.
SEC Consult has published an advisory that contains proof-of-concept (PoC) code for each of the vulnerabilities.