Share: Email | Twitter

ID

VDE-2019-004

Published

2019-03-14 08:52 (CET)

Last update

2019-03-14 08:52 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
CT50-Ex <= current version
Cx70-Ex <= current version
Ex-Handy 09 <= current version
Ex-Handy 209 <= current version
i.roc Ci70-Ex <= current version
Pad-Ex 01 <= current version
Smart-Ex 01 <= current version
Smart-Ex 201 <= current version
Tab-Ex 01 <= current version

Summary

A collection of Bluetooth attack vectors were discovered and related vulnerabilities known as "BlueBorne" were disclosed. These vulnerabilities collectively endanger amongst others Windows, Linux and mobile operating systems like Android or IOS. An unauthenticated attacker may take control of devices and perform commands or access sensitive data.

Vulnerabilities



CVE-2017-0781
8.8
Last Update
18. Februar 2020 08:08
Severity
8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary
A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146105.
Details
nvd.nist.gov 
CVE-2017-0782
8.8
Last Update
18. Februar 2020 08:09
Severity
8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary
A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146237.
Details
nvd.nist.gov 
CVE-2017-8628
6.8
Last Update
18. Februar 2020 08:09
Severity
6.8 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary
Microsoft Bluetooth Driver in Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703 allows a spoofing vulnerability due to Microsoft's implementation of the Bluetooth stack, aka "Microsoft Bluetooth Driver Spoofing Vulnerability".
Details
nvd.nist.gov 
CVE-2017-0785
6.5
Last Update
18. Februar 2020 08:08
Severity
6.5 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Information Exposure (CWE-200)
Summary
A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698.
Details
nvd.nist.gov 
CVE-2017-0783
6.5
Last Update
18. Februar 2020 08:09
Severity
6.5 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Weakness
Information Exposure (CWE-200)
Summary
A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63145701.
Details
nvd.nist.gov 

Impact

An unauthenticated, remote attacker may be able to obtain private information about the device or user, execute arbitrary code on the device or perform a virtually invisible Man-in-the-middle (MitM) attack.

Solution

Customers using affected Pepperl+Fuchs / ecom instruments products are recommended to update the device. For released firmware updates see table below.

Product  Date  Updatesource
 CT50-Ex Android  09/2017  FOTA-Update
 CT50-Ex Windows  10/2017  Microsoft Update
 Pad-Ex 01  09/2017  Microsoft Update
 Smart-Ex 01  09/2018  FOTA-Update
 Smart-Ex 201  10/2018  FOTA-Update


In case there is no update available, users should consider the following workaround:

Deactivation of Bluetooth on the device

Unused or not needed Bluetooth should be switched off / disabled on affected devices.

Reported by

These vulnerabilities were publicly disclosed by Ben Seri and Gregory Vishnepolsky of Armis.

https://www.armis.com/blueborne