1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: FESTO
- Equipment: Hardware Controller, Hardware Servo Press Kit
- Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
FESTO reports the following products are affected:
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1: Version 4.0.14
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV: Version 4.0.14
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV-S1: Version 4.0.14
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV-S1: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-YS-L1: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-YS-L2: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Controller CECC-X-M1-Y-YJKP: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Servo Press Kit YJKP: Versions 3.8.14 and prior
- Festo Firmware installed on Festo Hardware Servo Press Kit YJKP-: Versions 3.8.14 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
In multiple versions of Festo Controller CECC-X-M1 product family, the http-endpoint
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article: