This week we have one vendor disclosure from PEPPERL+FUCHS and one vendor update for products from 3S.
PEPPERL+FUCHS Advisory
CERT-VDE published an advisory describing five vulnerabilities in the PEPPERL+FUCHS Comtrol RocketLinx ethernet switches. The vulnerabilities were reported by T. Weber of SEC Consult Vulnerability Lab. PEPPERL+FUCHS has new firmware versions available that mitigate the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Unauthenticated device administration
(2) - CVE-2020-12500 and CVE-2020-12502,
• Undocumented accounts - CVE-2020-12501,
• Multiple authenticated command injections
- CVE-2020-12500, and
• Active TFTP-service - CVE-2020-12504
NOTE 1: The current version of this advisory on the CERT-VDE web page is marked as ‘Update A’, the original version was apparently published earlier in the week.
NOTE 2: SEC Consult reports that this is an OEM vulnerability which they do not name pending response to the vulnerability notification.
3S Update
3S published an
update [.PDF download link] for their CodeMeter
advisory that was originally
published on September 16th, 2020 and most recently
updated on September 24th, 2020. The new information includes more
details about the coverage of the update for CODESYS v3.5.16.20.
Posts
No comments:
Post a Comment