The Festo controller CECC product family is affected by multiple vulnerabilities in the CODESYS V3 runtime.
The machine controller of the cabinet series include an OPC-UA server which uses an user management to authenticate clients via anonymous or user/password authentication. If the user/password authentication is selected, password verification is skipped upon second login. As a result, cases occur in which users can establish communication without correct authentication. This vulnerability is not located in the OPC-UA protocol or server, but in the interface to the products firmware.
This Security Advisory is only relevant for the following use cases:
• the user management has been activated on the machine controller (is deactivated by default)
• the OPC-UA Server is used
• Data are transferred via a symbol configuration (is not available by default)
The Festo controller CECC-X-M1 product family in multiple versions are affected by a preauthentication command injection vulnerability.
Update A, 2022-07-05
Remediation has been updated. Fixed firmwares are now available.
A critical vulnerability has been discovered in the utilized component EtherNet/IP Adapter Development Kit (EADK) by Pyramid Solutions, Inc.. For details refer to CVE(s).
This vulnerability may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition of the affected products.
The indicated firmware versions are only used on products of hardware version 01.xx.xx.
ProConOS/ProConOS eCLR designed for use in closed industrial networks provide communication protocols without authentication.
Please also refer the original ICS-CERT advisory ICSA-15-013-03 published 13 January 2015.
Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families as well as the AXIOLINE controllers AXC1050 and AXC3050) are developed and designed for the use in closed industrial networks. The communication protocols used for device management and configuration do not feature authentication measures.
Update A, 2022-06-21
This updated version contains additional affected products.
In addition, a new application note for classic line controllers had been published to make it easier for our customers to find out the actions how to disable the unauthorized communication ports instead of checking out each controller’s manual.