Share: Email | Twitter

ID

VDE-2021-007

Published

2021-02-16 15:53 (CET)

Last update

2021-02-16 15:53 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
262163 PCV100-F200-B25-V1D-6011 <= V1.10.0
284068 PCV100-F200-B25-V1D-6011-6720 <= V1.10.0
262161 PCV50-F200-B25-V1D <= V1.10.0
262162 PCV80-F200-B25-V1D <= V1.10.0
293431-100004 PXV100-F200-B25-V1D <= V1.10.0
293431-100010 PXV100I-F200-B25-V1D <= V1.10.0
262006 WCS3B-LS510 <= V1.2.1
304867 WCS3B-LS510D <= V1.2.1
304868 WCS3B-LS510DH <= V1.2.1
312681 WCS3B-LS510DH-OM <= V1.2.1
312682 WCS3B-LS510D-OM <= V1.2.1
304866 WCS3B-LS510H <= V1.2.1
312680 WCS3B-LS510H-OM <= V1.2.1
312683 WCS3B-LS510-OM <= V1.2.1

Summary

Critical vulnerability has been discovered in the utilized component Ethernet IP Stack by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerability on the affected device is that it can

  • denial of service
  • remote code execution
  • code exposure

For more information see advisory by Hilscher:
https://kb.hilscher.com/pages/viewpage.action?pageId=108969480

CVE ID

CVE-2021-20987 

Last Update:

Nov. 17, 2022, 1:09 p.m.

Severity

8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) 

Weakness

Out-of-bounds Write  (CWE-787) 

Summary

A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.

Details

nvd.nist.gov 

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may cause a cause a Denial Of Service of the product.

Solution

Mitigation

An external protective measure is required.

  • Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
  • Isolate affected products from the corporate network.
  • If remote access is required, use secure methods such as virtual private networks (VPNs).

Reported by

Hilscher Gesellschaft für Systemautomation mbH