Multiple issues in Weidmueller Industrial WLAN devices have been found.

Initial publication date: 2021-06-23
Update A publication date: 2021-07-02

Update A

CVE-2021-33534

CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Description: An exploitable command injection vulnerability exists in the hostname functionality of Weidmueller Industrial WLAN devices. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various requests while authenticated as a high privilege user to trigger this vulnerability.

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.

The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via
the OPC UA protocol. For both cases the attacker can send packets via the OPC UA protocol without the need to
authenticate and

1. provoke a stack overflow resulting in denial of service of the product or
2. make the product disclose information to the attacker without authorization.

Critical vulnerability has been discovered in the utilized components rcX, mbedTLS, PROFINET IO Device and EtherNet/IP Core by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerabilities on the affected device is that it can result in:

• Denial of Service (DoS)
• Remote Code Execution (RCE)
• Code Exposure

Note

ICE1-8IOL-S2-G60L-V1D (70103603) is not affected by CVE-2021-20986

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.

A network port intended only for device-internal usage is accidentally accessible via external network interfaces.

Some TwinCAT OPC UA Server and IPC Diagnostics UA Server versions from Beckhoff Automation GmbH & Co. KG are vulnerable to denial of service attacks. The attacker needs to send several specifically crafted requests to the running OPC UA server. After some of these requests the OPC UA server is no longer responsive to any client. This is without effect to the real-time functionality of IPCs.

UPDATE A - 11.05.2021

Please note that some hardware products from Beckhoff are shipped with a TwinCAT OPC UA Server pre-installed. In some cases the server is enabled by default.

IPC Diagnostics UA Server (contained in Beckhoff’s Windows images)

• server versions up to and including 3.1.0.1 are affected
• Please note that IPC products from Beckhoff are shipped with an IPC Diagnostics UA Server pre-installed. In all cases the server is disabled by default.

The version numbers named above always refer to the version number which is accessible via OPC UA at the server via the standard OPC UA node /Objects/Server/ServerStatus/BuildInfo/SoftwareVersion and on Windows also as the file property "File version" of the file TcOpcUaServer.exe for TwinCAT OPC UA Server respectively the file DevMgrSvr-UA.exe for IPC Diagnostics UA Server.

UPDATE A - 11.05.2021

Please note that IPC products from Beckhoff are shipped with an IPC Diagnostics UA Server pre-installed. While on Windows CE it is disabled by default all other Windows images have it enabled by default.