TRUMPF: Products prone to Unified Automation vulnerabilities

A number of TRUMPF software tools use the OPC UA Server in C++ based OPC UA SDK by Unified Automation. The application contains several vulnerabilities, which enable an attacker to send malicious data to the application, resulting in a Denial-of-Service.


CVE-2022-29862: 7.5
CVE-2022-29864: 7.5

AUMA: Multiple Vulnerabilities in Automation Runtime NTP Service

The SIMA2 Master Station features an NTP service based on ntpd, a reference implementation of the Network Time Protocol (NTP). Affected SIMA2 Master Stations with software version < V2.6 include an outdated version of ntpd which is affected by a large number of vulnerabilities


CVE-2015-7871: 9.8
CVE-2018-12327: 9.8
CVE-2018-7183: 9.8
CVE-2015-7853: 9.8
CVE-2015-7705: 9.8
CVE-2015-7849: 8.8
CVE-2017-6458: 8.8
CVE-2017-6460: 8.8
CVE-2015-7854: 8.8
CVE-2017-6462: 7.8
CVE-2017-6451: 7.8
CVE-2015-7974: 7.7
CVE-2014-9293: 7.5
CVE-2014-9294: 7.5
CVE-2015-7703: 7.5
CVE-2014-9295: 7.5
CVE-2015-7692: 7.5
CVE-2015-7691: 7.5
CVE-2016-4954: 7.5
CVE-2016-4953: 7.5
CVE-2015-7704: 7.5
CVE-2016-7426: 7.5
CVE-2015-5300: 7.5
CVE-2015-7701: 7.5
CVE-2015-7978: 7.5
CVE-2015-7979: 7.5
CVE-2020-11868: 7.5
CVE-2019-8936: 7.5
CVE-2018-7185: 7.5
CVE-2018-7184: 7.5
CVE-2016-4957: 7.5
CVE-2018-7182: 7.5
CVE-2016-7434: 7.5
CVE-2020-13817: 7.4
CVE-2016-1548: 7.2
CVE-2015-7973: 6.5
CVE-2015-7702: 6.5
CVE-2015-7850: 6.5
CVE-2015-7851: 6.5
CVE-2015-7855: 6.5
CVE-2016-9310: 6.5
CVE-2017-6463: 6.5
CVE-2017-6464: 6.5
CVE-2016-1549: 6.5
CVE-2009-3563: 6.4
CVE-2015-7975: 6.2
CVE-2016-4955: 5.9
CVE-2015-7852: 5.9
CVE-2015-7977: 5.9
CVE-2015-8158: 5.9
CVE-2016-2519: 5.9
CVE-2016-9311: 5.9
CVE-2014-9750: 5.8
CVE-2016-7431: 5.3
CVE-2016-2518: 5.3
CVE-2016-2517: 5.3
CVE-2016-1550: 5.3
CVE-2016-1547: 5.3
CVE-2018-8956: 5.3
CVE-2015-8139: 5.3
CVE-2015-8138: 5.3
CVE-2016-4956: 5.3
CVE-2016-2516: 5.3
CVE-2016-7433: 5.3
CVE-2013-5211: 5.0
CVE-2014-9296: 5.0
CVE-2020-15025: 4.9
CVE-2015-8140: 4.8
CVE-2016-7428: 4.3
CVE-2016-7427: 4.3
CVE-2015-7976: 4.3
CVE-2016-1551: 3.7
CVE-2016-7429: 3.7

Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system

The Festo controller CECC product family in firmware version 2.4.2.0 is affected by multiple vulnerabilities in the CODESYS V3 runtime.


CVE-2020-10245: 9.8
CVE-2021-33485: 9.8
CVE-2019-9013: 8.8
CVE-2022-22515: 8.1
CVE-2021-36763: 7.5
CVE-2021-36764: 7.5
CVE-2021-29241: 7.5
CVE-2022-22519: 7.5
CVE-2022-22517: 7.5
CVE-2020-15806: 7.5
CVE-2019-5105: 7.5
CVE-2021-29242: 7.3
CVE-2022-22514: 7.1
CVE-2022-22513: 6.5
CVE-2020-12068: 6.5
CVE-2020-12069: n/a
CVE-2019-9011: n/a
CVE-2020-12067: n/a

Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system

The Festo controller CECC product family is affected by multiple vulnerabilities in the CODESYS V3 runtime.


CVE-2019-13548: 9.8
CVE-2019-18858: 9.8
CVE-2021-33485: 9.8
CVE-2019-9010: 9.8
CVE-2018-10612: 9.8
CVE-2020-10245: 9.8
CVE-2019-9008: 8.8
CVE-2019-9013: 8.8
CVE-2022-22515: 8.1
CVE-2021-36764: 7.5
CVE-2020-15806: 7.5
CVE-2018-20025: 7.5
CVE-2018-20026: 7.5
CVE-2019-13532: 7.5
CVE-2021-36763: 7.5
CVE-2022-22517: 7.5
CVE-2022-22519: 7.5
CVE-2021-29241: 7.5
CVE-2019-5105: 7.5
CVE-2019-9012: 7.5
CVE-2019-9009: 7.5
CVE-2021-29242: 7.3
CVE-2022-22514: 7.1
CVE-2010-5250: 6.9
CVE-2022-22513: 6.5
CVE-2018-0739: 6.5
CVE-2019-13542: 6.5
CVE-2020-7052: 6.5
CVE-2020-12068: 6.5
CVE-2017-3735: 5.3
CVE-2019-9011: n/a
CVE-2020-12067: n/a
CVE-2020-12069: n/a

Lenze: Vulnerability in the OPC-UA authentification connection in the firmware

The machine controller of the cabinet series include an OPC-UA server which uses an user management to authenticate clients via anonymous or user/password authentication. If the user/password authentication is selected, password verification is skipped upon second login. As a result, cases occur in which users can establish communication without correct authentication. This vulnerability is not located in the OPC-UA protocol or server, but in the interface to the products firmware.

This Security Advisory is only relevant for the following use cases:

• the user management has been activated on the machine controller (is deactivated by default)

• the OPC-UA Server is used

• Data are transferred via a symbol configuration (is not available by default)


CVE-2022-2302: 9.8

Festo: CECC-X-M1 - command injection vulnerabilities (Update A)

The Festo controller CECC-X-M1 product family in multiple versions are affected by a preauthentication command injection vulnerability.

Update A, 2022-07-05

Remediation has been updated. Fixed firmwares are now available.


CVE-2022-30311: 9.8
CVE-2022-30310: 9.8
CVE-2022-30309: 9.8
CVE-2022-30308: 9.8

Weidmueller: EtherNet/IP Fieldbus Coupler out-of-bounds write

A critical vulnerability has been discovered in the utilized component EtherNet/IP Adapter Development Kit (EADK) by Pyramid Solutions, Inc.. For details refer to CVE(s).
This vulnerability may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition of the affected products.

The indicated firmware versions are only used on products of hardware version 01.xx.xx.


CVE-2022-1737: 7.5

PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool

ProConOS/ProConOS eCLR designed for use in closed industrial networks provide communication protocols without authentication.

Please also refer the original ICS-CERT advisory ICSA-15-013-03 published 13 January 2015.


CVE-2014-9195: 7.5

Feeds

Nach Hersteller

Archiv

2025
2024
2023
2022
2021
2020
2019
2018
2017

Legende

(Scoring für CVSS 2.0,3.0+3.1)
keine
Kein CVE verfügbar
Niedrig
0.1 <= 3.9
Mittel
4.0 <= 6.9
Hoch
7.0 <= 8.9
Kritisch
9.0 <= 10.0