Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1512
Advisory (icsa-22-097-01) Pepperl+Fuchs WirelessHART-Gateway
8 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Pepperl+Fuchs WirelessHART-Gateway
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2021-34565 CVE-2021-34564 CVE-2021-34563
CVE-2021-34562 CVE-2021-34561 CVE-2021-34560
CVE-2021-34559 CVE-2021-33555 CVE-2020-11023
CVE-2020-11022 CVE-2020-7656 CVE-2019-11358
CVE-2016-10707 CVE-2015-9251 CVE-2014-6071
CVE-2013-0169 CVE-2012-6708 CVE-2011-4969
CVE-2007-2379
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-097-01
Comment: CVSS (Max): 9.8 CVE-2021-34565 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-097-01)
Pepperl+Fuchs WirelessHART-Gateway
Original release date: April 07, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Pepperl+Fuchs
o Equipment: WirelessHART-Gateway
o Vulnerabilities: Use of Hard-coded Credentials, Uncontrolled Resource
Consumption, Reliance on Reverse DNS Resolution for a Security-critical
Action, Path Traversal, Cross-site Scripting, Exposure of Sensitive
Information to an Unauthorized Actor, Cleartext Storage of Sensitive
Information in a Cookie, HTTP Request Smuggling, Sensitive Cookie Without
'HttpOnly' Flag, Cryptographic Issues
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may result in a
denial-of-service condition, code execution, and code exposure.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of WirelessHART-Gateway industrial networking devices
are affected:
o WHA-GW-F2D2-0-AS- Z2-ETH: Versions 3.0.7, 3.0.8, 3.0.9
o WHA-GW-F2D2-0-AS- Z2-ETH.EIP: Versions 3.0.7, 3.0.8, 3.0.9
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798
The affected product allows active SSH and telnet services with hard-coded
credentials.
CVE-2021-34565 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.2 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
jQuery 3.0.0-rc.1 is vulnerable to a denial-of-service condition due to
removing a logic a lowercased attribute names. Any attribute using a
mixed-cased name for boolean attributes goes into an infinite recursion,
exceeding the stack call limit.
CVE-2016-10707 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.3 RELIANCE ON REVERSE DNS RESOLUTION FOR A SECURITY-CRITICAL ACTION CWE-350
If the application is not externally accessible or uses IP-based access
restrictions, attackers can use DNS rebinding to bypass any IP or
firewall-based access restrictions by proxying through their target's browser.
This vulnerability only affects Versions 3.0.7 through 3.0.8.
CVE-2021-34561 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
The filename parameter is vulnerable to unauthenticated path traversal attacks,
enabling read access to arbitrary files on the server. This vulnerability only
affects Version 3.0.7.
CVE-2021-33555 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).
3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
jQuery Version 1.4.2 allows remote attackers to conduct cross-site scripting
attacks via vectors related to use of the text method.
CVE-2014-6071 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
jQuery versions prior to 1.9.0 are vulnerable to cross-site scripting attacks.
The jQuery(strInput) function does not differentiate selectors from HTML in a
reliable fashion. In vulnerable versions, jQuery determined whether the input
was HTML by looking for the '<' character anywhere in the string, giving
attackers more flexibility when attempting to deliver a malicious payload. In
fixed versions, jQuery only deems the input to be HTML if it explicitly starts
with the '<' character, limiting exploitability only to attackers who can
control the beginning of a string.
CVE-2012-6708 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.7 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
jQuery versions prior to 3.0.0 are vulnerable to cross-site scripting (XSS)
attacks when a cross-domain Ajax request is performed without the dataType
option, causing text/javascript responses to be executed.
CVE-2015-9251 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.8 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
In jQuery versions between 1.0.3 and 3.5.0, passing HTML containing <option>
elements from untrusted sources (even after sanitizing it) to one of jQuery's
DOM manipulation methods (i.e., .html(), .append(), and others) may execute
untrusted code. This vulnerability is patched in jQuery 3.5.0.
CVE-2020-11023 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.9 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
In jQuery versions between 1.2 and 3.5.0, passing HTML from untrusted sources
(even after sanitizing it) to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. This vulnerability
is patched in jQuery 3.5.0.
CVE-2020-11022 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.10 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
jQuery versions prior to 3.4.0, as used in specific products, mishandles
jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an
unsanitized source object contained an enumerable __proto__ property, it could
extend the native Object.prototype.
CVE-2019-11358 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.11 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
jQuery versions prior to 1.9.0 allow cross-site scripting attacks via the load
method. The load method fails to recognize and remove "<script>" HTML tags that
contain a whitespace character, "</script >", which results in the enclosed
script logic to be executed.
CVE-2020-7656 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.2.12 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The affected product contains a password field with autocomplete enabled. The
stored credentials can be captured by an attacker who gains control over the
user's computer.
CVE-2021-34560 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:N/A:N ).
3.2.13 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN A COOKIE CWE-315
Cookie stealing vulnerabilities within the application or browser allow an
attacker to steal the user's credentials in Version 3.0.9.
CVE-2021-34564 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:N/A:N ).
3.2.14 INCONSISTENT INTERPRETATION OF HTTP REQUESTS ('HTTP REQUEST SMUGGLING')
CWE-444
In the affected product, Versions 3.0.7 through 3.0.8 have a vulnerability that
may allow remote attackers to rewrite links and URLs in cached pages to
arbitrary strings.
CVE-2021-34559 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:L/I:L/A:N ).
3.2.15 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
In the affected product, Version 3.0.8, it is possible to inject arbitrary
JavaScript into the application's response.
CVE-2021-34562 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:L/I:L/A:N ).
3.2.16 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The jQuery framework exchanges data using JavaScript object notation (JSON)
without an associated protection scheme, which allows remote attackers to
obtain the data via a web page that retrieves the data through a URL in the SRC
attribute of a SCRIPT element and captures the data using other JavaScript
code, aka "JavaScript Hijacking."
CVE-2007-2379 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.2.17 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
jQuery versions prior to 1.6.3 contain a Cross-site scripting (XSS)
vulnerability, which when using location.hash to select elements, allows remote
attackers to inject arbitrary web script or HTML via a crafted tag.
CVE-2011-4969 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:N/I:L/A:N ).
3.2.18 SENSITIVE COOKIE WITHOUT 'HTTPONLY' FLAG CWE-1004
In the affected product, Versions 3.0.8 and 3.0.9, the HttpOnly attribute is
not set on a cookie, which allows the cookie's value to be read or set by
client-side JavaScript.
CVE-2021-34563 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:L/I:N/A:N ).
3.2.19 CRYPTOGRAPHIC ISSUES CWE-310
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in
OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing
side-channel attacks on a MAC check requirement during the processing of
malformed CBC padding, which allows remote attackers to conduct distinguishing
attacks and plaintext-recovery attacks via statistical analysis of timing data
for crafted packets, aka the "Lucky Thirteen" issue.
CVE-2013-0169 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
CERT@VDE coordinated these vulnerabilities with Pepperl+Fuchs.
4. MITIGATIONS
Pepperl+Fuchs recommends the following workarounds:
o Minimize network exposure for affected products and ensure they are not
accessible via the Internet.
o Isolate affected products from the corporate network.
o If remote access is required, use secure methods such as virtual private
networks (VPNs).
See CERT@VDE's advisory VDE-2021-027 for more information
CISA recommends users take the following measures to protect themselves from
social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYk99oONLKJtyKPYoAQjz6g//bCar2X1RoB4FKdVZ/b0FJFXK1lDehPoI
KB7LqH9qJ9cmUMLi+zNVUrNQnh3kt3/V4Ry95mRBfE+W+Hy4+ctyVmJQ31IA8Xo8
/yBEiiifiQLwNBZLmIN/xf6e6FvG99U2rfdaCmPAfH73XNYvTJ0ENg+QmIJkxcSC
Oo7n8nAgponKn12ArrRcK2YzpU3kBiWacARVlBXbrUosydb6O0JnQ7/xh0li5BEk
5OZhkb0c7+Cr+qNrN+M1tpuKITFZpjaOKg1WejhGVkru9DVmZLLf8iue5HiK2py8
Wtsh6NneRv3/AFxxp5N1p54RCVhfVW7BBvvdE0W9dybTLunaRmv/pqTTqP3Qe3co
aP2zXJZgu/cwwv6Isfk1qXLTv+kWdkKEI2ku/FWd3LF/Gdm3D3wZnfj07SjqFF6i
M1mwhw59tE8Gc6WfhKsrpXBf9ea1kauErJJ+guXaxZGrawXCTmNnXvYFuRuWYfDV
DXLjEJt3omcpgxzWSb6f373GToFsEYbzO0mJRVUBy4tMsczrv4WOf2e7v188AZA0
g7Mraih5X4qR+2Rlm2N+Gy7rzzrWUxlsI7D2bfARoyMOn9tyxEdx5eDZJLkzbcpn
G3/qPkjVao0QlOyNXkQbZOI3oS6jIe7OQuaeOS9I7rwAkP+Iz0ryJgp6YMBapkTx
jWsOGNR+5II=
=Hytr
-----END PGP SIGNATURE-----