| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 773103 | Base-Device PNOZ mxp ETH (PNOZmulti Classic) | all versions |
| 773104* | Base-Device PNOZ mxp ETH (PNOZmulti Classic) | all versions |
| 773113 | Base-Device PNOZ mxp ETH (PNOZmulti Classic) | all versions |
| 773116 | Base-Device PNOZ mxp ETH (PNOZmulti Classic) | all versions |
| 773123 | Base-Device PNOZ mxp ETH (PNOZmulti Classic) | all versions |
| 7731260 | Base-Device PNOZ mxp ETH (PNOZmulti Classic) | all versions |
| 316020 | PNOZ m B1 | < v1.8 |
| 316020 | PNOZ m ES ETH | < v1.2 |
| 316020 | PNOZ mmc1p ETH | all versions |
| 312041 | PSSu-Module for decentralised E/A-System | all versions |
| 312042 | PSSu-Module for decentralised E/A-System | all versions |
| 312043 | PSSu-Module for decentralised E/A-System | all versions |
| 31206* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 312070* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 312071* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 312077 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 312085* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 312087 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 31407* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 314085 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 314086 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 314087 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 315070* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 315071* | PSSu-Module for PSS 4000 | < 1.22.2 |
| 315085 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 315086 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 316010 | PSSu-Module for PSS 4000 | < 1.22.2 |
| 316020 | PSSu-Module for PSS 4000 | < 1.22.2 |
Multiple products of PILZ utilise a third-party TCP/IP implementation - the "Niche Ethernet Stack". This TCP/IP stack contains multiple vulnerabilities which are therefore affecting the products listed above.
An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)
An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1. The TCP header processing code doesn't sanitize the value of the IP total length field (header length + data length). With a crafted IP packet, an integer overflow occurs whenever the value of the IP data length is calculated by subtracting the length of the header from the total length of the IP packet.
An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. The TCP out-of-band urgent-data processing function invokes a panic function if the pointer to the end of the out-of-band data points outside of the TCP segment's data. If the panic function hadn't a trap invocation removed, it will enter an infinite loop and therefore cause DoS (continuous loop or a device reset).
An issue was discovered in HCC Nichestack 3.0. The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the length of the TCP payload within the TCP checksum computation function. When the IP payload size is set to be smaller than the size of the IP header, the TCP checksum computation function may read out of bounds (a low-impact write-out-of-bounds is also possible).
An issue was discovered in HCC Nichestack 3.0. The code that parses ICMP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the ICMP checksum. When the IP payload size is set to be smaller than the size of the IP header, the ICMP checksum computation function may read out of bounds, causing a Denial-of-Service.
The vulnerabilities allow a remote attacker to:
| Product | Affected by |
| PSSu-Module for decentralised E/A-System |
CVE-2020-35683, CVE-2020-35684, CVE-2020-35685, |
| PSSu-Module for PSS 4000 | CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 CVE-2021-31400, CVE-2021-31401 |
| PNOZ m B1 | CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 |
| PNOZ m ES ETH | CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 |
| PNOZ mmc1p ETH | CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 |
| Base-Device PNOZ mxp ETH (PNOZmulti Classic) |
CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 |
| Product | |
| PSSu-Module for decentralised E/A-System | see Mitigation |
| PSSu-Module for PSS 4000 | upgrade firmware to 1.22.2 * |
| PNOZ m B1 | see Mitigation ** |
| PNOZ m ES ETH | see Mitigation ** |
| PNOZ mmc1p ETH | see Mitigation |
| Base-Device PNOZ mxp ETH (PNOZmulti Classic) |
see Mitigation |
* CVE-2020-35685 will not be addressed in this update b/c it has no affect on the security level of the used services and their protocols MODBUS/TCP and RAW-TCP.
** These products are not updateable in the field. They use a fixed firmware pre-installed by the manufacturer.
Mitigation
It is adviced to use firewalls or similar network security devices to prevent unauthorized network communication to the products affected.
This vulnerability was discovered and reported by Forescout Technologies, Inc.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PILZ thanks CERT@VDE for the coordination and support with this publication.