The affected products contain a CODESYS Control runtime system in version V2. They are therefore affected by the
vulnerability described in CODESYS Advisory 2021-06. It provides a communication server for the communication with clients like the CODESYS Development System.
The 9400 servo inverters is only affected if the communication Path via the inserted EtherNet Module E94AYCEN on slot MXI1 or MXI2 is used. If the Module E94AYCEN is used, the following Versions are affected.
Product Identification: E94xSHxxx (Single Drive, High Line)
Product Identification: E94xMHxxx (Multi Drive, High Line)
Remark: If the product identification of your 9400 product does not fit to the above mentioned identification, please contact Lenze at Security.de@Lenze.com.
The Versions P (power supply module) and R (regenerative power supply module) are not affected. Furthermore, the Variant P (PLC) and the Variant S (StateLine) are not affected. The communication paths via the diagnostic interface X6, the system bus (CAN) X1 or the field buses (other than the named Ethernet module) that can be plugged into the module slots MXI1 or MXI2 are not affected.
The focus is therefore on 9400 servo inverters with the product-identification E94x{S/M}{H}... with a plugged in Ethernet module E94AYCEN... in module slot MXI1 or MXI2 and communication with the Engineer-Tools via exactly this channel.
In addition to the standard tool Engineer, there is also a special Version of the PLC Designer (Version 0.x). The communication path to the PLC Designer is not considered with the planned update and the vulnerabilities here remain even after the update. Here, the customer must provide a secure Environment, see Mitigation.
Promass 83 devices utilizing 499ES EtherNet/IP (ENIP) Stack by Real Time Automation (RTA) are vulnerable to a stack-based buffer overflow.
Update A, 2021-10-07:
The affected product families are cameras SBOC/SBOI and the Controller SBRD. The vulnerabilities are located within the Ethernet IP Stack from EIPStackGroup OpENer Ethernet/IP.
Multiple products of PILZ utilise a third-party TCP/IP implementation - the "Niche Ethernet Stack". This TCP/IP stack contains multiple vulnerabilities which are therefore affecting the products listed above.
Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.
The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to read and write some special parameters without authentication.
This vulnerability is different to advisory SAV-2020-014 / VDE-2020-028.
WAGO controllers have always been designed for easy connection to IT infrastructure. Even controllers from legacy product lines support encryption standards to ensure secure communication.
With special crafted requests it is possible to bring the device out of operation.
All listed devices are vulnerable for this denial of service attack.
Critical vulnerabilities have been discovered in the utilized component TRECK TCP/IP Stack by Digi International Inc.
For more information see advisory by Digi International Inc.:
Digi International Security Notice - TRECK TCP/IP Stack "RIPPLE20" VU#257161 ICS-VU-035787 | Digi International