Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2020-12504
PUBLISHED
More InfoOfficial Page
Assigner-CERTVDE
Assigner Org ID-270ccfa6-a436-4e77-922e-914ec3a9685c
View Known Exploited Vulnerability (KEV) details
Published At-15 Oct, 2020 | 18:42
Updated At-16 Sep, 2024 | 17:09
Rejected At-
▼CVE Numbering Authority (CNA)
Pepperl+Fuchs improper authorization affects multiple Comtrol RocketLinx products

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below has an active TFTP-Service.

Affected Products
Vendor
Pepperl+Fuchs
Product
P+F Comtrol RocketLinx
Versions
Affected
  • ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510-XTE, ES9528/ES9528-XT all
  • From ES7510-XT before 2.1.1 (custom)
  • From ES8510 before 3.1.1 (custom)
Vendor
Pepperl+Fuchs
Product
P+F Comtrol RocketLinx
Versions
Affected
  • From ICRL-M-8RJ45/4SFP-G-DIN through 1.2.3 (custom)
  • From ICRL-M-16RJ45/4CP-G-DIN through 1.2.3 (custom)
Vendor
Korenix
Product
JetNet
Versions
Affected
  • From 5428G-20SFP through V1.0 (custom)
  • From 5810G through V1.1 (custom)
  • From 4706F through V2.3b (custom)
  • From 4510 through V3.0b (custom)
  • From 5310 before V1.6 (custom)
Vendor
Westermo
Product
PMI-110-F2G
Versions
Affected
  • From unspecified before V1.8 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-912CWE-912 Hidden Functionality
Type: CWE
CWE ID: CWE-912
Description: CWE-912 Hidden Functionality
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

For ICRL-M-8RJ45/4SFP-G-DIN and ICRL-M-16RJ45/4CP-G-DIN: Update to Firmware 1.3.1 and deactivate TFTP-Service. For all other devices: An external protective measure is required. 1) Traffic from untrusted networks to the device should be blocked by a firewall. Especially traffic targeting the administration webpage. 2) Administrator and user access should be protected by a secure password and only be available to a very limited group of people.

Configurations
Workarounds
Exploits
Credits
T. Weber (SEC Consult Vulnerability Lab)
Coordinated by CERT@VDE
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cert.vde.com/de-de/advisories/vde-2020-040
x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2021/Jun/0
mailing-list
x_refsource_FULLDISC
http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
x_refsource_MISC
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
x_refsource_CONFIRM
https://cert.vde.com/en-us/advisories/vde-2020-053
x_refsource_CONFIRM
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
x_refsource_MISC
Hyperlink: https://cert.vde.com/de-de/advisories/vde-2020-040
Resource:
x_refsource_CONFIRM
Hyperlink: http://seclists.org/fulldisclosure/2021/Jun/0
Resource:
mailing-list
x_refsource_FULLDISC
Hyperlink: http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
Resource:
x_refsource_MISC
Hyperlink: https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
Resource:
x_refsource_CONFIRM
Hyperlink: https://cert.vde.com/en-us/advisories/vde-2020-053
Resource:
x_refsource_CONFIRM
Hyperlink: http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cert.vde.com/de-de/advisories/vde-2020-040
x_refsource_CONFIRM
x_transferred
http://seclists.org/fulldisclosure/2021/Jun/0
mailing-list
x_refsource_FULLDISC
x_transferred
http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
x_refsource_MISC
x_transferred
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
x_refsource_CONFIRM
x_transferred
https://cert.vde.com/en-us/advisories/vde-2020-053
x_refsource_CONFIRM
x_transferred
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
x_refsource_MISC
x_transferred
Hyperlink: https://cert.vde.com/de-de/advisories/vde-2020-040
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://seclists.org/fulldisclosure/2021/Jun/0
Resource:
mailing-list
x_refsource_FULLDISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://cert.vde.com/en-us/advisories/vde-2020-053
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
Resource:
x_refsource_MISC
x_transferred
Details not found