Dangerous vulnerabilities were detected in Pepperl+Fuchs industrial switches Comtrol RocketLinx (CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503 and CVE-2020-12504).
Operation of some of them allows for full control over the device
The problems were discovered by security researchers from the Austrian IT company SEC Consult. In total, five vulnerabilities were discovered that can be used to access vulnerable switches, execute commands and get information. Three of them are critical and two are dangerous.
According to experts, exploiting vulnerabilities requires network access to the target switch (without permissions on the device itself). One of the critical problems allows an unauthorized attacker to make changes to the device configuration, including entering network parameters, uploading configuration files, firmware and loaders. Vulnerability can also be used to call “denial of service” status, but this can be fixed by rebooting and reconfiguring the device.
Another critical vulnerability is related to the existence of several built-in accounts but according to the vendor, some of them are read-only.
The critical issue is related to the TFTP protocol used for uploading and downloading firmware, downloader and configuration files
“TFTP server can be used to read all files on the system, because the daemon is run as a superuser, which results in opening the password hash through /etc/passwd file. However, write access is limited to certain files (configurations, certificates, bootloader, firmware upgrade). By downloading malicious Quagga configuration files, an attacker can change, for example, the device IP settings. Malicious firmware and loaders can also be downloaded”,
Researchers have also identified several vulnerabilities associated with command implementation, and while their use requires authentication, the lack of protection against cross-site request tampering allows an attacker to perform actions on behalf of an authenticated user by convincing the attacker to open a malicious link.