VDE-2022-036 | CERT@VDE

2022-09-20 12:00 (CEST) VDE-2022-036

Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A

Share: Email | Twitter

ID

VDE-2022-036

Published

2022-09-20 12:00 (CEST)

Last update

2022-10-19 08:00 (CEST)

Vendor(s)

Festo SE & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
567347	Control block CPX-CEC-C1	<= 2.0.12
555667	Control block CPX-CMXX	<= 1.2.34 rev.404
555668	Control block CPX-CMXX	<= 1.2.34 rev.404
568714	Control block-SET CPX-CEC-C1	<= 2.0.12

Summary

UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SET
CPX-CMXX to affected products.

Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service of the device.

CVE ID

CVE-2022-3079

Last Update:

Sept. 20, 2022, 11:14 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Improper Privilege Management (CWE-269)

Summary

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

Details

nvd.nist.gov

Impact

CPX-CEC-C1 and CPX-CMXX allow unauthenticated access to critical webpage functions (e.g. reboot) which may cause a denial of service of the device

Solution

Remediation

Currently no fix is planned.

Replace CPX-CEC-C1 with follow-up product CPX-CEC-C1-V3.

Replace CPX-CMXX with follow up product CPX-CEC-M1-V3.

General recommendations

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
Use firewalls to protect and separate the control system network from other networks
Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features
Use encrypted communication links
Limit the access to both development and control system by physical means, operating system features, etc.
Protect both development and control system by using up to date virus detecting solutions

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.

Reported by

Festo SE & Co. KG thanks the following parties for their efforts:

CERT@VDE for coordination and support with this publication
Daniel dos Santos, Rob Hulsebos from Forescout for reporting to Festo