Vulnerabilities in Pepperl + Fuchs Products Allow Backdoors

 


A security researcher from the Austrian company SEC Consult has discovered a number of vulnerabilities in Pepperl + Fuchs Comtrol IO-Link Master industrial gateways. Exploitation of vulnerabilities allows you to gain root access to the device and create backdoors.


The issues identified are Cross Site Request Forgery (CVE-2020-12511), Cross Site Scripting (CVE-2020-12512), Blind Command Injection (CVE-2020-12513), and Denial of Service (CVE-2020-12514) ). The affected products use outdated versions of third-party components including PHP, OpenSSL, BusyBox, the Linux kernel, and lighttpd, which are known to contain various issues.


According to the expert, if an attacker gains access to one of the vulnerable Control devices, he can execute commands on the device with superuser privileges and deploy persistent backdoors.


The vendor patched the vulnerabilities discovered by SEC Consult a few months after being notified. SEC Consult has also published a security notice containing a PoC code for exploiting each of the vulnerabilities.


Previous Post Next Post