Back to overview

Beckhoff: EtherLeak in TwinCAT RT network driver

VDE-2020-019
Last update
05/22/2025 15:03
Published at
06/16/2020 10:31
Vendor(s)
Beckhoff Automation GmbH & Co. KG
External ID
VDE-2020-019
CSAF Document
Download

Summary

Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames.

Impact

By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.

Affected Product(s)

Model no. Product name Affected versions
TwinCAT 2.11 2350 <=2.11.0.2120, <=2.11.0.2117
TwinCAT 3.1 402 <=3.1.0.3600
TwinCAT 3.1 4022 <=3.1.0.3512
TwinCAT 3.1 4024 <=3.1.0.3603, <=3.1.0.3500

Vulnerabilities

Expand / Collapse all

Published
02/09/2026 08:38
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.

References
cve.org | nvd.nist.gov

Mitigation

If no real-time communication from TwinCAT is required on the Ethernet interface, then users can alternatively re-configure them to use the Intel ® driver, which is shipped with Beckhoff images.

Customers should configure a perimeter firewall to block traffic from untrusted networks to the device, especially regarding ICMP and other small ethernet frames.

Remediation

Beckhoff offers software patches for TwinCAT 3.1 and TwinCAT 2.11 on request. These patches will be included in the the next regular releases to the affected software versions.

Acknowledgments

Beckhoff Automation GmbH & Co. KG thanks the following parties for their efforts:

  • CERT@VDE for coordination

Revision History

Version Date Summary
1 06/16/2020 10:31 Initial revision.
2 11/06/2024 12:27 Fix: added self-reference
3 04/11/2025 09:00 Fix: version range
4 05/22/2025 15:03 Fix: added distribution, quotation mark