CVE-2020-12504

Q: What is the severity of CVE-2020-12504?

CVE-2020-12504 has a CVSS score of 9.8 (CRITICAL). This CVE describes an improper authorization vulnerability in Pepperl+Fuchs Comtrol RocketLinx industrial switches that allows attackers to bypass authentication and execute arbitrary commands via the active TFTP service. Affected organizations include industrial control systems, manufacturing facilities, and critical infrastructure using these specific switch models.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

This CVE describes an improper authorization vulnerability in Pepperl+Fuchs Comtrol RocketLinx industrial switches that allows attackers to bypass authentication and execute arbitrary commands via the active TFTP service. Affected organizations include industrial control systems, manufacturing facilities, and critical infrastructure using these specific switch models.

💻 Affected Systems

Products:

Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT
ES8509-XT
ES8510-XT
ES9528-XTv2
ES7506
ES7510
ES7528
ES8508
ES8508F
ES8510
ES8510-XTE
ES9528/ES9528-XT
ICRL-M-8RJ45/4SFP-G-DIN
ICRL-M-16RJ45/4CP-G-DIN

Versions: All versions for RocketLinx models; FW 1.2.3 and below for ICRL models

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: TFTP service is active by default on affected devices, making them immediately vulnerable without configuration changes.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial network, unauthorized command execution leading to operational disruption, data exfiltration, or physical damage to connected industrial equipment.

🟠

Likely Case

Unauthorized access to network devices, configuration changes, network disruption, and potential lateral movement to other industrial control systems.

🟢

If Mitigated

Limited impact with proper network segmentation, but still poses risk to isolated industrial networks if exploited internally.

🌐 Internet-Facing: HIGH - Directly exploitable via TFTP service without authentication, making internet-exposed devices immediate targets.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated command execution, posing significant risk to industrial networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to TFTP service (UDP port 69) with no authentication. Public exploit code and detailed analysis available in referenced advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific firmware updates

Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2020-053

Restart Required: Yes

Instructions:

1. Download latest firmware from Pepperl+Fuchs support portal. 2. Backup current configuration. 3. Upload new firmware via web interface or TFTP. 4. Reboot device. 5. Restore configuration if needed. 6. Verify firmware version.

🔧 Temporary Workarounds

Disable TFTP Service

all

Disable the vulnerable TFTP service if not required for operations

Access device web interface -> System -> Services -> Disable TFTP

Network Access Control

all

Restrict network access to TFTP service (UDP 69) using firewall rules

iptables -A INPUT -p udp --dport 69 -j DROP
netsh advfirewall firewall add rule name="Block TFTP" dir=in action=block protocol=UDP localport=69

🧯 If You Can't Patch

Segment affected devices in isolated VLAN with strict access controls
Implement network monitoring for TFTP traffic and unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Attempt TFTP connection to device UDP port 69: 'tftp <device_ip> get /etc/passwd' or use nmap: 'nmap -sU -p 69 --script tftp-enum <device_ip>'

Check Version:

Login to web interface and check System -> Firmware version, or SSH/Telnet and use 'show version' command

Verify Fix Applied:

Verify TFTP service is disabled or patched by attempting same connection methods that should fail, and check firmware version matches patched release

📡 Detection & Monitoring

Log Indicators:

TFTP service access logs showing unauthorized connections
Configuration change logs without authorized user activity
Unexpected device reboots or service restarts

Network Indicators:

TFTP traffic to industrial network devices
Unexpected UDP port 69 connections from unauthorized sources
Anomalous traffic patterns to switch management interfaces

SIEM Query:

source="network_firewall" dest_port=69 protocol=UDP action=allow | stats count by src_ip dest_ip

📊 Metadata

CVE ID: CVE-2020-12504

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-912

Published: October 15, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Jun/0 Exploit,Mailing List,Third Party Advisory
https://cert.vde.com/de-de/advisories/vde-2020-040 Third Party Advisory
https://cert.vde.com/en-us/advisories/vde-2020-053 Third Party Advisory
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/ Exploit,Third Party Advisory
http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Jun/0 Exploit,Mailing List,Third Party Advisory
https://cert.vde.com/de-de/advisories/vde-2020-040 Third Party Advisory
https://cert.vde.com/en-us/advisories/vde-2020-053 Third Party Advisory
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/ Exploit,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Es7506 Firmware by Pepperl Fuchs

Es7510 Firmware by Pepperl Fuchs

Es7510 Xt Firmware by Pepperl Fuchs

Es7528 Firmware by Pepperl Fuchs

Es8508 Firmware by Pepperl Fuchs

Es8508f Firmware by Pepperl Fuchs

Es8509 Xt Firmware by Pepperl Fuchs

Es8510 Firmware by Pepperl Fuchs

Es8510 Xt Firmware by Pepperl Fuchs

Es8510 Xte Firmware by Pepperl Fuchs

Es9528 Firmware by Pepperl Fuchs

Es9528 Xt Firmware by Pepperl Fuchs

Es9528 Xtv2 Firmware by Pepperl Fuchs

Icrl M 16rj45\/4cp G Din Firmware by Pepperl Fuchs

Icrl M 8rj45\/4sfp G Din Firmware by Pepperl Fuchs

Jetwave 2212g Firmware by Korenix

Jetwave 2212s Firmware by Korenix

Jetwave 2212x Firmware by Korenix

Jetwave 2311 Firmware by Korenix

Jetwave 3220 Firmware by Korenix

Jetwave 3420 Firmware by Korenix

Jetwave 4510 Firmware by Korenix

Jetwave 4706 Firmware by Korenix

Jetwave 4706f Firmware by Korenix

Jetwave 5010 Firmware by Korenix

Jetwave 5310 Firmware by Korenix

Jetwave 5428g 20sfp Firmware by Korenix

Jetwave 5810g Firmware by Korenix

Pmi 110 F2g Firmware by Westermo