| Publisher: Weidmueller Interface GmbH & Co. KG | Document category: csaf_security_advisory |
| Initial release date: 2021-05-04T08:17:00.000Z | Engine: Secvisogram 2.5.17 |
| Current release date: 2021-05-04T08:17:00.000Z | Build Date: 2025-01-23T08:43:12.153Z |
| Current version: 1 | Status: final |
| CVSSv3.1 Base Score: 9.8 | Severity: |
| Original language: | Language: en-US |
| Also referred to: VDE-2021-016 | |
A network port intended only for device-internal usage is accidentally accessible via external network interfaces.
The reported vulnerability allows an attacker who has network access and knowledge about the internal configuration protocol to read and write configuration data without prior authorization. By exploiting this vulnerability the attacker potentially is able to manipulate or stop the operation of the device.
- Restrict access to the network th device is connected to - Do not directly connect the device to the internet
Weidmüller recommends upgrading affected devices to the current firmware version 1.12.3 or higher which fixes this vulnerability.
In Weidmueller u-controls and IoT-Gateways in versions up to 1.12.1 a network port intended only for device-internal usage is accidentally accessible via external network interfaces. By exploiting this vulnerability the device may be manipulated or the operation may be stopped.
| CWE: | CWE-668:Exposure of Resource to Wrong Sphere |
|---|
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| Firmware 1.3.0 <= 1.9.0 installed on IOT-GW30 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.10.0 <= 1.10.2 installed on IOT-GW30 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.11.0 installed on IOT-GW30 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.12.1 installed on IOT-GW30 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.3.0 <= 1.9.0 installed on IOT-GW30-4G-EU | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.10.0 <= 1.10.2 installed on IOT-GW30-4G-EU | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.11.0 installed on IOT-GW30-4G-EU | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.12.1 installed on IOT-GW30-4G-EU | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.3.0 <= 1.9.0 installed on UC20-WL2000-AC | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.10.0 <= 1.10.2 installed on UC20-WL2000-AC | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.11.0 installed on UC20-WL2000-AC | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.12.1 installed on UC20-WL2000-AC | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.3.0 <= 1.9.0 installed on UC20-WL2000-IOT | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.10.0 <= 1.10.2 installed on UC20-WL2000-IOT | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.11.0 installed on UC20-WL2000-IOT | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| Firmware 1.12.1 installed on UC20-WL2000-IOT | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
Weidmüller recommends upgrading affected devices to the current firmware version 1.12.3 or higher which fixes this vulnerability.
Restrict access to the network th device is connected to Do not directly connect the device to the internet
Namespace: https://www.weidmueller.com
psirt@weidmueller.com
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | 2021-05-04T08:17:00.000Z | Initial revision. |
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/