Share: Email | Twitter

ID

VDE-2022-036

Published

2022-09-20 12:00 (CEST)

Last update

2022-10-19 08:00 (CEST)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
567347 Control block CPX-CEC-C1 <= 2.0.12
555667 Control block CPX-CMXX <= 1.2.34 rev.404
555668 Control block CPX-CMXX <= 1.2.34 rev.404
568714 Control block-SET CPX-CEC-C1 <= 2.0.12

Summary

UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SET
CPX-CMXX to affected products.

Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service of the device.


Last Update:

20. September 2022 11:14

Weakness

Improper Privilege Management  (CWE-269) 

Summary

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.


Impact

CPX-CEC-C1 and CPX-CMXX allow unauthenticated access to critical webpage functions (e.g. reboot) which may cause a denial of service of the device

Solution

Remediation

Currently no fix is planned.

Replace CPX-CEC-C1 with follow-up product CPX-CEC-C1-V3.

Replace CPX-CMXX with follow up product CPX-CEC-M1-V3.

General recommendations

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
  • Use firewalls to protect and separate the control system network from other networks
  • Use VPN (Virtual Private Networks) tunnels if remote access is required
  • Activate and apply user management and password features
  • Use encrypted communication links
  • Limit the access to both development and control system by physical means, operating system features, etc.
  • Protect both development and control system by using up to date virus detecting solutions

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.

Reported by

Festo SE & Co. KG thanks the following parties for their efforts:

  • CERT@VDE for coordination and support with this publication 
  • Daniel dos Santos, Rob Hulsebos from Forescout for reporting to Festo