Share: Email | Twitter

ID

VDE-2021-010

Published

2021-05-18 11:00 (CEST)

Last update

2021-05-18 11:00 (CEST)

Vendor(s)

Endress+Hauser AG

Product(s)

Article No° Product Name Affected Version(s)
Promag 300 with EtherNet/IP <= 01.01.02
Promag 300 with Foundation Fieldbus <= 01.00.01
Promag 300 with HART <= 01.01.01
Promag 300 with MODBUS <= 01.00.02
Promag 300 with Profibus PA <= 01.00.03
Promag 300 with PROFINET <= 01.00.01
Promag 400 with HART <= 02.00.01
Promag 500 with EtherNet/IP <= 01.01.02
Promag 500 with Foundation Fieldbus <= 01.00.01
Promag 500 with HART <= 01.01.01
Promag 500 with MODBUS <= 01.00.02
Promag 500 with Profibus PA <= 01.00.03
Promag 500 with PROFINET <= 01.00.01
Promass 300 with EtherNet/IP <= 01.01.02
Promass 300 with Foundation Fieldbus <= 01.00.01
Promass 300 with HART <= 01.01.02
Promass 300 with MODBUS <= 01.00.02
Promass 300 with Profibus PA <= 01.00.03
Promass 300 with PROFINET <= 01.00.01
Promass 500 with EtherNet/IP <= 01.01.02
Promass 500 with Foundation Fieldbus <= 01.00.01
Promass 500 with HART <= 01.01.02
Promass 500 with MODBUS <= 01.00.02
Promass 500 with Profibus PA <= 01.00.03
Promass 500 with PROFINET <= 01.00.01
Spare Display for Promag 300 <= 01.01.00
Spare Display for Promag 400 <= 01.01.00
Spare Display for Promag 500 <= 01.01.00
Spare Display for Promass 300 <= 01.01.00
Spare Display for Promass 500 <= 01.01.00
Spare Transmitter for Promag 300 with EtherNet/IP <= 01.01.02
Spare Transmitter for Promag 300 with Foundation Fieldbus <= 01.00.01
Spare Transmitter for Promag 300 with HART <= 01.01.01
Spare Transmitter for Promag 300 with MODBUS <= 01.00.02
Spare Transmitter for Promag 300 with Profibus PA <= 01.00.03
Spare Transmitter for Promag 300 with PROFINET <= 01.00.01
Spare Transmitter for Promag 400 with HART <= 02.00.01
Spare Transmitter for Promag 500 with EtherNet/IP <= 01.01.02
Spare Transmitter for Promag 500 with Foundation Fieldbus <= 01.00.01
Spare Transmitter for Promag 500 with HART <= 01.01.01
Spare Transmitter for Promag 500 with MODBUS <= 01.00.02
Spare Transmitter for Promag 500 with Profibus PA <= 01.00.03
Spare Transmitter for Promag 500 with PROFINET <= 01.00.01
Spare Transmitter for Promass 300 with EtherNet/IP <= 01.01.02
Spare Transmitter for Promass 300 with Foundation Fieldbus <= 01.00.01
Spare Transmitter for Promass 300 with HART <= 01.01.02
Spare Transmitter for Promass 300 with MODBUS <= 01.00.02
Spare Transmitter for Promass 300 with Profibus PA <= 01.00.03
Spare Transmitter for Promass 300 with PROFINET <= 01.00.01
Spare Transmitter for Promass 500 with EtherNet/IP <= 01.01.02
Spare Transmitter for Promass 500 with Foundation Fieldbus <= 01.00.01
Spare Transmitter for Promass 500 with HART <= 01.01.02
Spare Transmitter for Promass 500 with MODBUS <= 01.00.02
Spare Transmitter for Promass 500 with Profibus PA <= 01.00.03
Spare Transmitter for Promass 500 with PROFINET <= 01.00.01

Summary

Endress+Hauser products utilizing WPA2 are vulnerable to KRACK attacks.
Proline portfolio is a flow meter with an optional WLAN interface in the display. The flowmeters are only affected if the optional WLAN display is present.

Vulnerabilities



Last Update
20. September 2019 09:42
Weakness
7PK - Security Features (CWE-254)
Summary
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
Last Update
20. September 2019 09:42
Weakness
7PK - Security Features (CWE-254)
Summary
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.
Last Update
20. September 2019 09:43
Weakness
7PK - Security Features (CWE-254)
Summary
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.

Impact

The feasibility of modifying the configuration of the device depends on the configuration settings regarding the used protocol (for example: OPC UA, http) to communicate via WLAN.

  • Access to operator network via device isn't possible because bridging in the device isn't supported.
  • The WLAN passphrase isn't readable.
  • Via OPC UA: read/write data access isn't possible if encryption is activated.
  • Via Webserver and CDI-RJ45: read data is possible. Write data isn't possible if individual password is used.

Solution

General Security Recommendations

As a general security measure Endress+Hauser strongly recommends protecting network access to the WLAN network with appropriate mechanisms. It is advised to configure the environment according to best practices to run the devices in a protected IT environment. Further general recommendations apply for the affected products:

  • Activate encryption for OPC UA
  • For Webserver and CDI-RJ45: Change device default password to individual password
  • For WLAN: Change WLAN default password to individual WLAN password

Temporary Fix/ Mitigation

If an immediate firmware update is not possible, the WLAN on the unit can also be switched off as a precautionary measure.

Remediation

Endress+Hauser provides updated firmware versions for all related products from the Proline portfolio which fixes the vulnerability and recommends customers to update to the new fixed version. For support, please contact your local service center.

Reported by

Mathy Vanhoef of imec-DistriNet, KU Leuven published this vulnerability on https://www.krackattacks.com

Coordinated by CERT@VDE