VDE-2020-050
Last update
05/14/2025 15:00
Published at
02/15/2021 14:33
Vendor(s)
Pepperl+Fuchs SE
External ID
VDE-2020-050
CSAF Document
Summary
Critical vulnerability has been discovered in the utilized component 499ES EtherNet/IP Stack by Real Time Automation (RTA).
Impact
Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit the vulnerability sending specially crafted packages that may result in a denial-of-service condition or code execution.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Hardware IC-KP-B17-AIDA1 | Firmware <=18-31785F | |
| Hardware IC-KP2-2HB17-2V1D | Firmware <=18-31440H | |
| IC-KP2-1HB17-2V1D | Firmware <=18-31766H |
Vulnerabilities
Expand / Collapse all
Published
09/22/2025 14:57
Severity
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary
The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
References
Mitigation
An external protective measure is required.
- Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
- Isolate affected products from the corporate network.
- If remote access is required, use secure methods such as virtual private networks (VPNs).
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 02/15/2021 14:33 | Initial revision. |
| 2 | 04/10/2025 15:00 | Fixed URLs. |
| 3 | 05/14/2025 15:00 | Fix: added distribution |