Zurück zur Übersicht

Endress+Hauser: products utilizing WPA2 vulnerable to KRACK attacks

VDE-2021-010
Last update
14.05.2025 14:28
Published at
18.05.2021 11:00
Vendor(s)
Endress+Hauser AG
External ID
VDE-2021-010
CSAF Document
Download

Summary

Endress+Hauser products utilizing WPA2 are vulnerable to KRACK attacks.
Proline portfolio is a flow meter with an optional WLAN interface in the display. The flowmeters are only affected if the optional WLAN display is present.

Impact

The feasibility of modifying the configuration of the device depends on the configuration settings regarding the used protocol (for example: OPC UA, http) to communicate via WLAN.

  • Access to operator network via device isn't possible because bridging in the device isn't supported.
  • The WLAN passphrase isn't readable.
  • Via OPC UA: read/write data access isn't possible if encryption is activated.
  • Via Webserver and CDI-RJ45: read data is possible. Write data isn't possible if individual password is used.

Affected Product(s)

Model no. Product name Affected versions
Promag 300 with EtherNet/IP Firmware <=01.01.02
Promag 300 with Foundation Fieldbus Firmware <=01.00.01
Promag 300 with HART Firmware <=01.01.01
Promag 300 with MODBUS Firmware <=01.00.02
Promag 300 with PROFINET Firmware <=01.00.01
Promag 300 with Profibus PA Firmware <=01.00.03
Promag 400 with HART Firmware <=02.00.01
Promag 500 with EtherNet/IP Firmware <=01.01.02
Promag 500 with Foundation Fieldbus Firmware <=01.00.01
Promag 500 with HART Firmware <=01.01.01
Promag 500 with MODBUS Firmware <=01.00.02
Promag 500 with PROFINET Firmware <=01.00.01
Promag 500 with Profibus PA Firmware <=01.00.03
Promass 300 with EtherNet/IP Firmware <=01.01.02
Promass 300 with Foundation Fieldbus Firmware <=01.00.01
Promass 300 with HART Firmware <=01.01.02
Promass 300 with MODBUS Firmware <=01.00.02
Promass 300 with PROFINET Firmware <=01.00.01
Promass 300 with Profibus PA Firmware <=01.00.03
Promass 500 with EtherNet/IP Firmware <=01.01.02
Promass 500 with HART Firmware <=01.01.02
Promass 500 with MODBUS Firmware <=01.00.02
Promass 500 with PROFINET Firmware <=01.00.01
Promass 500 with Profibus PA Firmware <=01.00.03
Spare Display for Promag 300 Firmware <=01.01.00
Spare Display for Promag 400 Firmware <=01.01.00
Spare Display for Promag 500 Firmware <=01.01.00
Spare Display for Promass 300 Firmware <=01.01.00
Spare Display for Promass 500 Firmware <=01.01.00
Spare Transmitter for Promag 300 with EtherNet/IP Firmware <=01.01.02
Spare Transmitter for Promag 300 with Foundation Fieldbus Firmware <=01.00.01
Spare Transmitter for Promag 300 with HART Firmware <=01.01.01
Spare Transmitter for Promag 300 with MODBUS Firmware <=01.00.02
Spare Transmitter for Promag 300 with PROFINET Firmware <=01.00.01
Spare Transmitter for Promag 300 with Profibus PA Firmware <=01.00.03
Spare Transmitter for Promag 400 with HART Firmware <=02.00.01
Spare Transmitter for Promag 500 with EtherNet/IP Firmware <=01.01.02
Spare Transmitter for Promag 500 with Foundation Fieldbus Firmware <=01.00.01
Spare Transmitter for Promag 500 with HART Firmware <=01.01.01
Spare Transmitter for Promag 500 with MODBUS Firmware <=01.00.02
Spare Transmitter for Promag 500 with PROFINET Firmware <=01.00.01
Spare Transmitter for Promag 500 with Profibus PA Firmware <=01.00.03
Spare Transmitter for Promass 300 with EtherNet/IP Firmware <=01.01.02
Spare Transmitter for Promass 300 with Foundation Fieldbus Firmware <=01.00.01
Spare Transmitter for Promass 300 with HART Firmware <=01.01.02
Spare Transmitter for Promass 300 with MODBUS Firmware <=01.00.02
Spare Transmitter for Promass 300 with PROFINET Firmware <=01.00.01
Spare Transmitter for Promass 300 with Profibus PA Firmware <=01.00.03
Spare Transmitter for Promass 500 with EtherNet/IP Firmware <=01.01.02
Spare Transmitter for Promass 500 with Foundation Fieldbus Firmware <=01.00.01
Spare Transmitter for Promass 500 with HART Firmware <=01.01.02
Spare Transmitter for Promass 500 with MODBUS Firmware <=01.00.02
Spare Transmitter for Promass 500 with PROFINET Firmware <=01.00.01
Spare Transmitter for Promass 500 with Profibus PA Firmware <=01.00.03

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:58
Severity
6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
5.3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.

References
cve.org | nvd.nist.gov

Mitigation

If an immediate firmware update is not possible, the WLAN on the unit can also be switched off as a precautionary measure.

Remediation

Endress+Hauser provides updated firmware versions for all related products from the Proline portfolio which fixes the vulnerability and recommends customers to update to the new fixed version. For support, please contact your local service center.

Revision History

Version Date Summary
1 15.05.2021 11:00 Initial revision.
2 14.05.2025 14:28 Fix: version space, added distribution