VDE-2025-026
Vulnerability from csaf_aumariestergmbhcokg - Published: 2025-05-12 10:00 - Updated: 2025-05-14 13:00Summary
AUMA Riester: Buffer overflow in service telegram
Severity
High
Notes
Summary: Sending too much data in the service telegram of AUMA actuators leads to a buffer overflow in the actuator controls. Depending on the actuator, the service telegram is transmitted either via Bluetooth or RS232
Impact: A buffer overflow can lead to an unexpected behaviour e.g. to restart of the actuator controls.
Mitigation: As the Bluetooth interface or the alternatively available RS-232 interface is not required for normal operation, it is advisable to only activate it or only use it when it is required, e.g. when configuring the actuator or reading diagnostic data. It should be deactivated under normal operation conditions.
Remediation: For actuators with Bluetooh, it is recommended to update the firmware of the actuator controls to a new version in order to avoid a buffer overflow.
For actuators without Bluetooth, it is recommended to restrict physical access to the actuator and/or update the firmware if possible.
General Recommendation: If the actuator controls has a Bluetooth interface, we recommend switching off this interface, as the Bluetooth connection to AUMA actuators is only used for configuration and diagnostics in the context of service activities. If the actuator controls has an build-in RS-232 interface, we recommend restricting physical access to the actuator.
Disclaimer: AUMA is not liable for updates of its actuators
Product Description: Applies to all actuators which can be configured using either a Bluetooth interface or a RS-232 interface.
An unauthenticated remote attacker can cause a buffer overflow which could lead to unexpected behaviour or DoS via Bluetooth or RS-232 interface.
7.5 (High)
4.6 (Medium)
Mitigation
It is recommended to update to a new version, with which the error can no longer occur.
References
Acknowledgments
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "for coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Dennis Schaeffer"
],
"organization": "ONEKEY GmbH",
"summary": "for discovering the vulnerability",
"urls": [
"https://onekey.com"
]
}
],
"aggregate_severity": {
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Sending too much data in the service telegram of AUMA actuators leads to a buffer overflow in the actuator controls. Depending on the actuator, the service telegram is transmitted either via Bluetooth or RS232",
"title": "Summary"
},
{
"category": "description",
"text": "A buffer overflow can lead to an unexpected behaviour e.g. to restart of the actuator controls.",
"title": "Impact"
},
{
"category": "description",
"text": "As the Bluetooth interface or the alternatively available RS-232 interface is not required for normal operation, it is advisable to only activate it or only use it when it is required, e.g. when configuring the actuator or reading diagnostic data. It should be deactivated under normal operation conditions.",
"title": "Mitigation"
},
{
"category": "description",
"text": "For actuators with Bluetooh, it is recommended to update the firmware of the actuator controls to a new version in order to avoid a buffer overflow.\nFor actuators without Bluetooth, it is recommended to restrict physical access to the actuator and/or update the firmware if possible.",
"title": "Remediation"
},
{
"category": "general",
"text": "If the actuator controls has a Bluetooth interface, we recommend switching off this interface, as the Bluetooth connection to AUMA actuators is only used for configuration and diagnostics in the context of service activities. If the actuator controls has an build-in RS-232 interface, we recommend restricting physical access to the actuator.",
"title": "General Recommendation"
},
{
"category": "legal_disclaimer",
"text": "AUMA is not liable for updates of its actuators",
"title": "Disclaimer"
},
{
"category": "description",
"text": "Applies to all actuators which can be configured using either a Bluetooth interface or a RS-232 interface.",
"title": "Product Description"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@auma.com",
"name": "AUMA Riester GmbH \u0026 Co. KG",
"namespace": "https://auma.com"
},
"references": [
{
"category": "external",
"summary": "PSIRT at AUMA Riester GmbH \u0026 Co. KG",
"url": "https://www.auma.com/en_GB/service/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for AUMA",
"url": "https://certvde.com/en/advisories/vendor/auma/"
},
{
"category": "self",
"summary": "VDE-2025-026: AUMA Riester: Buffer overflow in service telegram - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-026"
},
{
"category": "self",
"summary": "VDE-2025-026: AUMA Riester: Buffer Overvflow in service telegram - CSAF",
"url": "https://auma.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-026.json"
}
],
"title": "AUMA Riester: Buffer overflow in service telegram",
"tracking": {
"aliases": [
"VDE-2025-026"
],
"current_release_date": "2025-05-14T13:00:14.000Z",
"generator": {
"date": "2025-04-17T09:37:58.338Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.18"
}
},
"id": "VDE-2025-026",
"initial_release_date": "2025-05-12T10:00:00.000Z",
"revision_history": [
{
"date": "2025-05-12T06:00:00.000Z",
"number": "1",
"summary": "Initial revision"
},
{
"date": "2025-05-14T13:00:14.000Z",
"number": "2",
"summary": "Fix: added distribution"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "AC1.2",
"product": {
"name": "AC1.2",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_family",
"name": "PROFOX",
"product": {
"name": "PROFOX",
"product_id": "CSAFPID-11011"
}
},
{
"category": "product_family",
"name": "TIGRON",
"product": {
"name": "TIGRON",
"product_id": "CSAFPID-11021"
}
},
{
"category": "product_family",
"name": "TIGRON SIL",
"product": {
"name": "TIGRON SIL",
"product_id": "CSAFPID-11031"
}
},
{
"category": "product_family",
"name": "SGx/SVx",
"product": {
"name": "SGx/SVx",
"product_id": "CSAFPID-11041"
}
},
{
"category": "product_family",
"name": "MEC 03.01",
"product": {
"name": "MEC 03.01",
"product_id": "CSAFPID-11051"
}
}
],
"category": "product_name",
"name": "Hardware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e06.00.00\u003c06.09.04",
"product": {
"name": "Firmware \u003e06.00.00\u003c06.09.04",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "06.09.04",
"product": {
"name": "Firmware 06.09.04",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "AC1.2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c01-01.10.00",
"product": {
"name": "Firmware \u003c01-01.10.00",
"product_id": "CSAFPID-21011"
}
},
{
"category": "product_version",
"name": "01-01.10.00",
"product": {
"name": "Firmware 01-01.10.00",
"product_id": "CSAFPID-22011"
}
}
],
"category": "product_family",
"name": "PROFOX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c01-01.09.00",
"product": {
"name": "Firmware \u003c01-01.09.00",
"product_id": "CSAFPID-21021"
}
},
{
"category": "product_version",
"name": "01-01.09.00",
"product": {
"name": "Firmware 01-01.09.00",
"product_id": "CSAFPID-22021"
}
}
],
"category": "product_family",
"name": "TIGRON"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c02-01.01.00",
"product": {
"name": "Firmware \u003c02-01.01.00",
"product_id": "CSAFPID-21031"
}
},
{
"category": "product_version",
"name": "02-01.01.00",
"product": {
"name": "Firmware 02-01.01.00",
"product_id": "CSAFPID-22031"
}
}
],
"category": "product_family",
"name": "TIGRON SIL"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e03.00.00\u003c03.05.01",
"product": {
"name": "Firmware \u003e03.00.00\u003c03.05.01",
"product_id": "CSAFPID-21041"
}
},
{
"category": "product_version",
"name": "03.05.01",
"product": {
"name": "Firmware 03.05.01",
"product_id": "CSAFPID-22041"
}
}
],
"category": "product_family",
"name": "Sxy"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c01.02.00",
"product": {
"name": "Firmware \u003c01.02.00",
"product_id": "CSAFPID-21051"
}
},
{
"category": "product_version",
"name": "01.02.00",
"product": {
"name": "Firmware 01.02.00",
"product_id": "CSAFPID-22051"
}
}
],
"category": "product_family",
"name": "MEC03.1"
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "AUMA Riester GmbH"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"summary": "Affected Products"
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e06.00.00\u003c06.09.04 installed on AC1.2",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 06.09.04 installed on AC1.2",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01-01.10.00 installed on PROFOX",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21011",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01-01.10.00 installed on PROFOX",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22011",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01-01.09.00 installed on TIGRON",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21021",
"relates_to_product_reference": "CSAFPID-11021"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01-01.09.00 installed on TIGRON",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22021",
"relates_to_product_reference": "CSAFPID-11021"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c02-01.01.00 installed on TIGRON SIL",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21031",
"relates_to_product_reference": "CSAFPID-11031"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 02-01.01.00 installed on TIGRON SIL",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22031",
"relates_to_product_reference": "CSAFPID-11031"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003e03.00.00\u003c03.05.01 installed on SGx/SVx",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21041",
"relates_to_product_reference": "CSAFPID-11041"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 03.05.01 installed on SGx/SVx",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22041",
"relates_to_product_reference": "CSAFPID-11041"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01.02.00 installed on MEC 03.01",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21051",
"relates_to_product_reference": "CSAFPID-11051"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01.02.00 installed on MEC 03.01",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22051",
"relates_to_product_reference": "CSAFPID-11051"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Dennis Schaefer"
],
"organization": "ONEKEY GmbH",
"summary": "for discovering the vulnerability",
"urls": [
"https://onekey.com"
]
}
],
"cve": "CVE-2025-3496",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An unauthenticated remote attacker can cause a buffer overflow which could lead to unexpected behaviour or DoS via Bluetooth or RS-232 interface.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to update to a new version, with which the error can no longer occur.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
]
},
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 4.6,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 4.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2025-3496"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…