Austria-based cybersecurity consultancy SEC Consult discovered five types of vulnerabilities in Pepperl+Fuchs Control industrial products, including cross-site request forgery (CSRF), reflected cross-site scripting (XSS), blind command injection, and denial-of-service (DoS) issues. The impacted products were found to leverage outdated versions of third-party components that were known to have vulnerabilities, including PHP, OpenSSL, BusyBox, Linux kernel, and lighttpd. The vulnerabilities can allow remote attackers to gain access to the targeted device, execute “any program,” and obtain information. If an attacker can gain access to one of the affected Control devices, for example, by using an XSS attack or password guessing. They may be able to execute commands on the device with root privileges and implement persistent backdoors
IO-Link is an industrial communications protocol used for digital sensors and actuators. The IO-Link Master product line combines the benefits of the IO-Link standard with the EtherNet/IP and Modbus TCP protocols. The IO-Link Master effectively shields the PLC programmers from the IO-Link complexities by handling those complexities itself.
The vendor patched the flaws discovered by SEC Consult several months after being informed of their existence. The company said a dozen IO-Link Master products are impacted and urged customers to update the U-Boot bootloader, the system image, and the application base to prevent exploitation
What to do?
- SEC Consult has published an advisory that contains proof-of-concept (PoC) code for each of the vulnerabilities.
- Ensure the most current code changes have been installed and are operational
What can you do to when this happens to you?
- If you determine your network has been breached and/or compromised, immediately shut down and identify any malware present.
- Determine if any data has been modified or exfiltrated.
- If data has been stolen notify all parties affected including local law enforcement data crimes division and the FBI,
- Reinstate the network from a known “clean” backup
Eduard Kovacs on January 14, 2021 Security Week