Summary
Multiple Weidmueller products are affected by an OpenSSL vulnerability.
Weidmüller has released new firmwares of the affected products to fix the vulnerability.
Impact
Weidmüller products are vulnerable to a birthday attack referred to as SWEET32. When exploited, the vulnerability may lead to the unauthorized disclosure of information.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| IE-SW-PL10M-3GT-7TX | Firmware <V3.3.32 | |
| IE-SW-PL10MT-3GT-7TX | Firmware <V3.3.32 | |
| IE-SW-PL16M-16TX | Firmware <V3.4.30 | |
| IE-SW-PL16MT-16TX | Firmware <V3.4.30 | |
| IE-SW-PL18M-2GC-16TX | Firmware <V3.4.38 | |
| IE-SW-PL18MT-2GC-16TX | Firmware <V3.4.38 | |
| IE-SW-VL05M-5TX | Firmware <V3.6.30 | |
| IE-SW-VL05MT-5TX | Firmware <V3.6.30 | |
| IE-SW-VL08MT-5TX-1SC-2SCS | Firmware <V3.5.34 | |
| IE-SW-VL08MT-6TX-2SC | Firmware <V3.5.34 | |
| IE-SW-VL08MT-6TX-2SCS | Firmware <V3.5.34 | |
| IE-SW-VL08MT-6TX-2ST | Firmware <V3.5.34 | |
| IE-SW-VL08MT-8TX | Firmware <V3.5.34 |
Vulnerabilities
Expand / Collapse allThe DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Remediation
Update to new version as listed below.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05.03.2025 09:00 | Initial version |
| 2 | 05.03.2025 12:00 | added categories to references |