Severe vulnerabilities ( CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, and CVE-2020-12504 ) have been identified in Comtrol RocketLinx industrial switches from Pepperl + Fuchs . The operation of some of them allows you to take complete control over the device.
The problems were discovered by security researchers from the Austrian information security company SEC Consult. In total, five vulnerabilities were discovered that could be exploited to gain access to vulnerable switches, execute commands, and obtain information. Three of them are critical and two are dangerous.
Exploiting the vulnerabilities requires network access to the target switch (without permissions on the device itself), experts say. One of the critical issues allows an unauthorized attacker to make changes to the device's configuration, including entering network parameters, loading configuration files, firmware and bootloaders. The vulnerability can also be exploited to trigger a denial of service condition, but this can be fixed by rebooting and reconfiguring the device.
Another critical vulnerability relates to the existence of several built-in accounts, but according to the manufacturer, some of them are read-only.
The third critical issue relates to the TFTP protocol used to upload and download firmware, bootloader, and configuration files.
“The TFTP server can be used to read all files on the system, since the daemon runs as superuser, which leads to the disclosure of the password hash through the / etc / passwd file. However, write access is limited to certain files (config, certificates, bootloader, firmware update). By downloading malicious Quagga configuration files, an attacker can change, for example, the IP settings of the device. It is also possible to download malicious firmware and bootloaders, ”the experts explained.
Researchers have also identified several command injection vulnerabilities, and while exploiting them requires authentication, the lack of cross-site request forgery protection allows an attacker to act on behalf of an authenticated user by persuading them to open a malicious link.