The user management of the FL SWITCH 2xxx family of devices implements access rights based on roles and permission groups. An unprivileged user logged in via the SSH CLI is assigned to the admin role independent of his configured access role enabling full access to the device configuration (CWE-266 - Incorrect Privilege Assignment).
User Management via SSH was first introduced with firmware version 3.00. Firmware versions other than 3.00 are not affected by this vulnerability.
The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED.
The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities.
Cross-site scripting in web-based management and memory leak in the remote logging function of FL MGUARD 1102 and FL MGUARD 1105.
CVE-2021-34582:
The file upload functionality in the web-based management is affected by a stored cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). An authenticated FL MGUARD user with Admin or Super Admin role can upload a certificate file on the Basic settings > LDAP page, on the Logs > Remote logging page, or through the REST API. The content of this file is embedded into the corresponding web page, and any
HTML code within the file is rendered when the page is viewed by the same or a different authenticated user.
CVE-2021-34598:
The remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active (CWE-770: Allocation of Resources Without Limits or Throttling).
PC Worx / -Express is vulnerable to a “zip slip” style vulnerability when loading a project file.
Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.
A device on the same network as the controller sending a special crafted JSON request to the /auth/access-token endpoint may cause the controller to restart (CWE-20).
UPDATE A
The CVSS score has been raised from 7.7 (CVSS:3.0:AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) to 9.1 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Third party Niche Ethernet stack has several vulnerabilities announced by the security researcher’s community.
Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a Denial of Service or a Breach of Integrity of the PLC.