VDE-2021-040

Vulnerability from csaf_endresshauserag - Published: 2021-10-04 12:30 - Updated: 2025-05-14 12:28
Summary
Endress+Hauser: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow
Notes
Summary: Promass 83 devices utilizing 499ES EtherNet/IP (ENIP) Stack by Real Time Automation (RTA) are vulnerable to a stack-based buffer overflow. Update A, 2021-10-07: added credits changed title from "ENDRESS+HAUSER: Promass 83 with Ether/IP affected by DoS vulnerability" to "ENDRESS+HAUSER: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow"
Impact: The vulnerability described can lead to a denial of service or even remote code execution.
Mitigation: If an immediate firmware update is not possible, the only way to prevent an attack is to disable communication via EtherNet/IP.
Remediation: Endress+Hauser provides updated firmware versions (Firmware versions >1.00.00) for the related product from the Proline portfolio which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center.
CVE-2020-25159

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
Mitigation If an immediate firmware update is not possible, the only way to prevent an attack is to disable communication via EtherNet/IP.
Vendor Fix Endress+Hauser provides updated firmware versions (Firmware versions >1.00.00) for the related product from the Proline portfolio which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center.
References
Acknowledgments
CERT@VDE certvde.com
Claroty Sharon Brizinov
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          " Sharon Brizinov"
        ],
        "organization": "Claroty",
        "summary": "reported"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "summary",
        "text": "Promass 83 devices utilizing 499ES EtherNet/IP (ENIP) Stack by Real Time Automation (RTA) are vulnerable to a stack-based buffer overflow.\n\nUpdate A, 2021-10-07:\n\nadded credits\nchanged title from \"ENDRESS+HAUSER: Promass 83 with Ether/IP affected by DoS vulnerability\" to \"ENDRESS+HAUSER: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow\"",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The vulnerability described can lead to a denial of service or even remote code execution.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "If an immediate firmware update is not possible, the only way to prevent an attack is to disable communication via EtherNet/IP.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Endress+Hauser provides updated firmware versions (Firmware versions \u003e1.00.00) for the related product from the Proline portfolio which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@endress.com",
      "name": "Endress+Hauser AG",
      "namespace": "https://www.endress.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "Endress+Hauser advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/endress+hauser/"
      },
      {
        "category": "self",
        "summary": "VDE-2021-040: Endress+Hauser: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2021-040"
      },
      {
        "category": "self",
        "summary": "VDE-2021-040: Endress+Hauser: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow - CSAF",
        "url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-040.json"
      }
    ],
    "title": "Endress+Hauser: Promass 83 with EtherNet/IP affected by a stack-based buffer overflow",
    "tracking": {
      "aliases": [
        "VDE-2021-040"
      ],
      "current_release_date": "2025-05-14T12:28:19.000Z",
      "generator": {
        "date": "2025-01-22T15:06:26.010Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.17"
        }
      },
      "id": "VDE-2021-040",
      "initial_release_date": "2021-10-04T12:30:00.000Z",
      "revision_history": [
        {
          "date": "2021-10-04T12:30:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2021-10-07T10:00:00.000Z",
          "number": "2",
          "summary": "Update A"
        },
        {
          "date": "2025-05-14T12:28:19.000Z",
          "number": "3",
          "summary": "Fix: firmware category, added distribution"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Promass 83",
                "product": {
                  "name": "Promass 83",
                  "product_id": "CSAFPID-11001"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.00.00",
                "product": {
                  "name": "Firmware 1.00.00",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e1.00.00",
                "product": {
                  "name": "Firmware \u003e1.00.00",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Endress+Hauser"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.00.00 installed on Promass 83",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003e1.00.00 installed on Promass 83",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-25159",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "description",
          "text": "The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001"
        ],
        "known_affected": [
          "CSAFPID-31001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "If an immediate firmware update is not possible, the only way to prevent an attack is to disable communication via EtherNet/IP.",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Endress+Hauser provides updated firmware versions (Firmware versions \u003e1.00.00) for the related product from the Proline portfolio which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center.",
          "product_ids": [
            "CSAFPID-31001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001"
          ]
        }
      ],
      "title": "CVE-2020-25159"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.