CVE-2020-12502: Pepperl+Fuchs improper authorization affects multiple Comtrol RocketLinx products
First published: Thu Oct 15 2020(Updated: )
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below is prone to unauthenticated device administration.
Credit: info@cert.vde.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pepperl-fuchs Es7510-xt Firmware | ||
| Pepperl-fuchs Es7510-xt | ||
| Pepperl-fuchs Es8509-xt Firmware | ||
| Pepperl-fuchs Es8509-xt | ||
| Pepperl-fuchs Es8510-xt Firmware | ||
| Pepperl-fuchs Es8510-xt | ||
| Pepperl-fuchs Es9528-xtv2 Firmware | ||
| Pepperl-fuchs Es9528-xtv2 | ||
| Pepperl-fuchs Es7506 Firmware | ||
| Pepperl-fuchs Es7506 | ||
| Pepperl-fuchs Es7510 Firmware | ||
| Pepperl-fuchs Es7510 | ||
| Pepperl-fuchs Es7528 Firmware | ||
| Pepperl-fuchs Es7528 | ||
| Pepperl-fuchs Es8508 Firmware | ||
| Pepperl-fuchs Es8508 | ||
| Pepperl-fuchs Es8508f Firmware | ||
| Pepperl-fuchs Es8508f | ||
| Pepperl-fuchs Es8510 Firmware | ||
| Pepperl-fuchs Es8510 | ||
| Pepperl-fuchs Es8510-xte Firmware | ||
| Pepperl-fuchs Es8510-xte | ||
| Pepperl-fuchs Es9528 Firmware | ||
| Pepperl-fuchs Es9528 | ||
| Pepperl-fuchs Es9528-xt Firmware | ||
| Pepperl-fuchs Es9528-xt | ||
| Pepperl-fuchs Icrl-m-8rj45\/4sfp-g-din Firmware | <=1.2.3 | |
| Pepperl-fuchs Icrl-m-8rj45\/4sfp-g-din | ||
| Pepperl-fuchs Icrl-m-16rj45\/4cp-g-din Firmware | <=1.2.3 | |
| Pepperl-fuchs Icrl-m-16rj45\/4cp-g-din | ||
| Korenix Jetnet 5428g-20sfp Firmware | ||
| Korenix Jetnet 5428g-20sfp | ||
| Korenix Jetnet 5810g Firmware | ||
| Korenix Jetnet 5810g | ||
| Korenix Jetnet 4706f Firmware | ||
| Korenix Jetnet 4706f | ||
| Korenix Jetnet 4706 Firmware | ||
| Korenix Jetnet 4706 | ||
| Korenix Jetnet 4510 Firmware | ||
| Korenix Jetnet 4510 | ||
| Korenix Jetnet 5010 Firmware | ||
| Korenix Jetnet 5010 | ||
| Korenix Jetnet 5310 Firmware | ||
| Korenix Jetnet 5310 | ||
| Korenix Jetnet 6095 Firmware | ||
| Korenix Jetnet 6095 | ||
| Pepperl-fuchs Icrl-m-8rj45\/4sfp-g-din Firmware | <1.4 | |
| Pepperl-fuchs Icrl-m-16rj45\/4cp-g-din Firmware | <1.4.0 |
Remedy
An external protective measure is required. 1) Traffic from untrusted networks to the device should be blocked by a firewall. Especially traffic targeting the administration webpage. 2) Administrator and user access should be protected by a secure password and only be available to a very limited group of people.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
- http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
- http://seclists.org/fulldisclosure/2021/Jun/0
- https://cert.vde.com/de-de/advisories/vde-2020-040
- https://cert.vde.com/en-us/advisories/vde-2020-053
- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
Frequently Asked Questions
What is the vulnerability ID of this security issue?
The vulnerability ID is CVE-2020-12502.
What is the severity level of CVE-2020-12502?
The severity level of CVE-2020-12502 is high (8.8).
Which software versions are affected by CVE-2020-12502?
Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below are affected.
What is the description of CVE-2020-12502 vulnerability?
CVE-2020-12502 is an Improper Authorization vulnerability in Pepperl+Fuchs P+F Comtrol RocketLinx ES series firmware and ICRL-M devices FW 1.2.3 and below, which could allow unauthorized access.
Are there any references available for more details on CVE-2020-12502?
Yes, you can find more details on CVE-2020-12502 vulnerability at the following references: [Reference 1](http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html), [Reference 2](http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html), [Reference 3](http://seclists.org/fulldisclosure/2021/Jun/0).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/author
- agent/title
- agent/last-modified-date
- agent/severity
- agent/event
- agent/first-publish-date
- agent/description
- agent/tags
- vendor/pepperl-fuchs
- canonical/pepperl-fuchs es7510-xt firmware
- canonical/pepperl-fuchs es7510-xt
- canonical/pepperl-fuchs es8509-xt firmware
- canonical/pepperl-fuchs es8509-xt
- canonical/pepperl-fuchs es8510-xt firmware
- canonical/pepperl-fuchs es8510-xt
- canonical/pepperl-fuchs es9528-xtv2 firmware
- canonical/pepperl-fuchs es9528-xtv2
- canonical/pepperl-fuchs es7506 firmware
- canonical/pepperl-fuchs es7506
- canonical/pepperl-fuchs es7510 firmware
- canonical/pepperl-fuchs es7510
- canonical/pepperl-fuchs es7528 firmware
- canonical/pepperl-fuchs es7528
- canonical/pepperl-fuchs es8508 firmware
- canonical/pepperl-fuchs es8508
- canonical/pepperl-fuchs es8508f firmware
- canonical/pepperl-fuchs es8508f
- canonical/pepperl-fuchs es8510 firmware
- canonical/pepperl-fuchs es8510
- canonical/pepperl-fuchs es8510-xte firmware
- canonical/pepperl-fuchs es8510-xte
- canonical/pepperl-fuchs es9528 firmware
- canonical/pepperl-fuchs es9528
- canonical/pepperl-fuchs es9528-xt firmware
- canonical/pepperl-fuchs es9528-xt
- canonical/pepperl-fuchs icrl-m-8rj45\/4sfp-g-din firmware
- version/pepperl-fuchs icrl-m-8rj45\/4sfp-g-din firmware/1.2.3
- canonical/pepperl-fuchs icrl-m-8rj45\/4sfp-g-din
- canonical/pepperl-fuchs icrl-m-16rj45\/4cp-g-din firmware
- version/pepperl-fuchs icrl-m-16rj45\/4cp-g-din firmware/1.2.3
- canonical/pepperl-fuchs icrl-m-16rj45\/4cp-g-din
- vendor/korenix
- canonical/korenix jetnet 5428g-20sfp firmware
- canonical/korenix jetnet 5428g-20sfp
- canonical/korenix jetnet 5810g firmware
- canonical/korenix jetnet 5810g
- canonical/korenix jetnet 4706f firmware
- canonical/korenix jetnet 4706f
- canonical/korenix jetnet 4706 firmware
- canonical/korenix jetnet 4706
- canonical/korenix jetnet 4510 firmware
- canonical/korenix jetnet 4510
- canonical/korenix jetnet 5010 firmware
- canonical/korenix jetnet 5010
- canonical/korenix jetnet 5310 firmware
- canonical/korenix jetnet 5310
- canonical/korenix jetnet 6095 firmware
- canonical/korenix jetnet 6095