Share: Email | Twitter

ID

VDE-2021-016

Published

2021-05-04 10:17 (CEST)

Last update

2021-05-04 10:17 (CEST)

Vendor(s)

Weidmueller Interface GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1334990000 IOT-GW30 1.3.0 <= 1.9.0
1334990000 IOT-GW30 1.10.0 <= 1.10.2
1334990000 IOT-GW30 = 1.11.0
1334990000 IOT-GW30 = 1.12.1
1334990000 IOT-GW30-4G-EU 1.3.0 <= 1.9.0
1334990000 IOT-GW30-4G-EU 1.10.0 <= 1.10.2
1334990000 IOT-GW30-4G-EU = 1.11.0
1334990000 IOT-GW30-4G-EU = 1.12.1
1334950000 UC20-WL2000-AC 1.3.0 <= 1.9.0
1334950000 UC20-WL2000-AC 1.10.0 <= 1.10.2
1334950000 UC20-WL2000-AC = 1.11.0
1334950000 UC20-WL2000-AC = 1.12.1
1334990000 UC20-WL2000-IOT 1.3.0 <= 1.9.0
1334990000 UC20-WL2000-IOT 1.10.0 <= 1.10.2
1334990000 UC20-WL2000-IOT = 1.11.0
1334990000 UC20-WL2000-IOT = 1.12.1

Summary

A network port intended only for device-internal usage is accidentally accessible via external network interfaces.


Last Update:

7. Juli 2021 10:13

Weakness

Exposure of Resource to Wrong Sphere  (CWE-668) 

Summary

In Weidmüller u-controls and IoT-Gateways in versions up to 1.12.1 a network port intended only for device-internal usage is accidentally accessible via external network interfaces. By exploiting this vulnerability the device may be manipulated or the operation may be stopped.

Impact

The reported vulnerability allows an attacker who has network access and knowledge about the internal configuration protocol to read and write configuration data without prior authorization. By exploiting this vulnerability the attacker potentially is able to manipulate or stop the operation of the device.

Solution

Mitigation

  • Restrict access to the network th device is connected to
  • Do not directly connect the device to the internet

Remidiation

Weidmüller recommends upgrading affected devices to the current firmware version 1.12.3 or higher which fixes this vulnerability.

Alternatively the following firmware versions which fix this vulnerability may be installed:

Product Affected (installed) firmware version Fixed firmware version
Any affected product 1.3.0 - 1.9.0 1.9.1
1.10.1, 1.10.2 1.10.3
1.10.0, 1.11.0, 1.12.1 1.12.3

Reported by

Reported by Weidmüller.