Back to overview

Beckhoff: EtherLeak in TwinCAT RT network driver

VDE-2020-019
Last update
05/22/2025 15:03
Published at
06/16/2020 10:31
Vendor(s)
Beckhoff Automation GmbH & Co. KG
External ID
VDE-2020-019
CSAF Document
Download

Summary

Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames.

Impact

By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.

Affected Product(s)

Model no. Product name Affected versions
TwinCAT Driver for Intel 8254x TwinCAT 2.11 2350 <=2.11.0.2120 TwinCAT Driver for Intel 8254x TwinCAT 2.11 2350 <=2.11.0.2120
TwinCAT Driver for Intel 8254x TwinCAT 3.1 4022 <=3.1.0.3512 TwinCAT Driver for Intel 8254x TwinCAT 3.1 4022 <=3.1.0.3512
TwinCAT Driver for Intel 8254x TwinCAT 3.1 4024 <=3.1.0.3603 TwinCAT Driver for Intel 8254x TwinCAT 3.1 4024 <=3.1.0.3603
TwinCAT Driver for Intel 8255x TwinCAT 2.11 2350 <=2.11.0.2117 TwinCAT Driver for Intel 8255x TwinCAT 2.11 2350 <=2.11.0.2117
TwinCAT Driver for Intel 8255x TwinCAT 3.1 402 <=3.1.0.3600 TwinCAT Driver for Intel 8255x TwinCAT 3.1 402 <=3.1.0.3600
TwinCAT Driver for Intel 8255x TwinCAT 3.1 4024 <=3.1.0.3500 TwinCAT Driver for Intel 8255x TwinCAT 3.1 4024 <=3.1.0.3500

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.

References
cve.org | nvd.nist.gov

Mitigation

If no real-time communication from TwinCAT is required on the Ethernet interface, then users can alternatively re-configure them to use the Intel ® driver, which is shipped with Beckhoff images.

Customers should configure a perimeter firewall to block traffic from untrusted networks to the device, especially regarding ICMP and other small ethernet frames.

Remediation

Beckhoff offers software patches for TwinCAT 3.1 and TwinCAT 2.11 on request. These patches will be included in the the next regular releases to the affected software versions.

Revision History

Version Date Summary
1 06/16/2020 10:31 Initial revision.
2 11/06/2024 12:27 Fix: added self-reference
3 04/11/2025 09:00 Fix: version range
4 05/22/2025 15:03 Fix: added distribution, quotation mark