WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.


CVE-2021-30192: 9.8
CVE-2021-30193: 9.8
CVE-2021-30188: 9.8
CVE-2021-30189: 9.8
CVE-2021-30190: 9.8
CVE-2021-30194: 9.1
CVE-2021-30195: 7.5
CVE-2021-30186: 7.5
CVE-2021-30191: 7.5
CVE-2021-21000: 7.5
CVE-2021-21001: 6.5
CVE-2021-30187: 5.3

Beckhoff: Stack Overflow and XXE vulnerability in various OPC UA products

The affected products can act as OPC UA client or server and are vulnerable to two different kind of attacks via
the OPC UA protocol. For both cases the attacker can send packets via the OPC UA protocol without the need to
authenticate and

  1. provoke a stack overflow resulting in denial of service of the product or
  2. make the product disclose information to the attacker without authorization.


CVE-2021-27432: 7.5
CVE-2021-27434: 7.5

Endress+Hauser: products utilizing WPA2 vulnerable to KRACK attacks

Endress+Hauser products utilizing WPA2 are vulnerable to KRACK attacks.
Proline portfolio is a flow meter with an optional WLAN interface in the display. The flowmeters are only affected if the optional WLAN display is present.


CVE-2017-13077: 6.8
CVE-2017-13078: 5.3
CVE-2017-13080: 5.3

Pepperl+Fuchs: Multiple vulnerabilites in ICE1 Ethernet IO Modules

Critical vulnerability has been discovered in the utilized components rcX, mbedTLS, PROFINET IO Device and EtherNet/IP Core by Hilscher Gesellschaft für Systemautomation mbH.
The impact of the vulnerabilities on the affected device is that it can result in:

  • Denial of Service (DoS)
  • Remote Code Execution (RCE)
  • Code Exposure

Note

ICE1-8IOL-S2-G60L-V1D (70103603) is not affected by CVE-2021-20986


CVE-2021-20987: 8.6
CVE-2021-20988: 7.5
CVE-2021-20986: 7.5
CVE-2019-18222: 4.7

WAGO: Multiple Vulnerabilities in the Web-Based Management Interface

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.


CVE-2021-20998: 9.8
CVE-2021-20995: 7.5
CVE-2021-20997: 7.5
CVE-2021-20994: 6.1
CVE-2021-20993: 5.3
CVE-2021-20996: 5.3

Weidmueller: Accidentally open network port in u-controls and IoT-Gateways

A network port intended only for device-internal usage is accidentally accessible via external network interfaces.


CVE-2021-20999: 9.8

Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0