Multiple critical vulnerabilities reported in Festo industrial controllers

CISA reports multiple critical security vulnerabilities affecting the Festo SE & Co. KG CECC family of industrial controllers. The flaws collectively enable remote attackers to crash services, escalate privileges, bypass authentication mechanisms, and gain unauthorized access to sensitive industrial control systems and operational data. 

Festo is a German automation technology company that supplies pneumatic and electrical automation systems to manufacturing facilities globally. The vulnerable CECC (Controller Embedded Compact Controller) family of industrial programmable logic controllers is used in critical manufacturing environments for process automation, machine control, and industrial operations. 

Vulnerabilities summary:

• CVE-2021-33485 (CVSS 9.8): Out-of-bounds write vulnerability in CODESYS Control Runtime system enabling heap-based buffer overflow
• CVE-2020-10245 (CVSS 9.8): Out-of-bounds write in CODESYS V3 web server causing buffer overflow
• CVE-2019-18858 (CVSS 9.8): Classic buffer overflow in CODESYS 3 web server from unchecked input size
• CVE-2019-13548 (CVSS 9.8): Out-of-bounds write allowing remote code execution via crafted HTTP/HTTPS requests
• CVE-2018-10612 (CVSS 9.8): Missing encryption of sensitive data with user credentials transmitted without protection
• CVE-2019-9010 (CVSS 9.8): Unverified ownership vulnerability in CODESYS Gateway allowing full system compromise
• CVE-2019-9008 (CVSS 8.8): Incorrect permission assignment enabling privilege escalation
• CVE-2019-9013 (CVSS 8.8): Use of broken cryptographic algorithms for credential protection
• CVE-2022-22515 (CVSS 8.1): Exposure of configuration files to wrong sphere
• CVE-2010-5250 (CVSS 7.8): Untrusted search path vulnerability
• CVE-2021-36763 (CVSS 7.5): Files or directories accessible to external parties
• CVE-2020-15806 (CVSS 7.5): Uncontrolled memory allocation vulnerability
• CVE-2019-9009 (CVSS 7.5): Improper handling of exceptional conditions
• CVE-2020-12067 (CVSS 7.5): Weak password recovery mechanism
• CVE-2020-12069 (CVSS 7.8): Insufficient computational effort in password hashing
• CVE-2021-36764 (CVSS 7.5): NULL pointer dereference in Gateway component
• CVE-2021-29242 (CVSS 7.3): Improper input validation enabling packet manipulation
• CVE-2022-22519 (CVSS 7.5): Buffer over-read causing web server crashes
• CVE-2022-22517 (CVSS 7.5): Use of insufficiently random values for channel IDs
• CVE-2019-13532 (CVSS 7.5): Path traversal allowing unauthorized file access
• CVE-2018-20025 (CVSS 7.5): Use of insufficiently random values
• CVE-2019-5105 (CVSS 7.5): Out-of-bounds write via crafted packets
• CVE-2021-29241 (CVSS 7.5): NULL pointer dereference denial of service
• CVE-2018-20026 (CVSS 7.5): Improper communication channel restriction
• CVE-2022-22514 (CVSS 7.1): Untrusted pointer dereference causing system crashes
• CVE-2022-22513 (CVSS 6.5): NULL pointer dereference in CmpSettings component
• CVE-2019-13542 (CVSS 6.5): NULL pointer dereference in OPC UA Server
• CVE-2020-7052 (CVSS 6.5): Uncontrolled memory allocation denial of service
• CVE-2018-0739 (CVSS 6.5): Uncontrolled recursion in OpenSSL ASN.1 parsing
• CVE-2020-12068 (CVSS 6.5): Privilege escalation in WebVisu and Remote TargetVisu
• CVE-2019-9011 (CVSS 5.3): Username enumeration vulnerability
• CVE-2017-3735 (CVSS 5.3): One-byte buffer over-read in certificate parsing

The affected products include all versions of Festo firmware R05 (version 2.3.8.0 released June 17, 2016) installed on Festo Hardware Controller CECC-D, CECC-LK, and CECC-S models, as well as all versions of firmware R06 (version 2.3.8.1 released October 11, 2016) installed on CECC-LK and CECC-S controllers. 

For a subset of 20 CVE identifiers affecting older firmware versions, Festo has released firmware version 2.4.2.0 for CECC-D and CECC-LK controllers that addresses these security issues. The fixed vulnerabilities include CVE-2019-9008, CVE-2019-18858, CVE-2019-13548, CVE-2019-13542, CVE-2019-9009, CVE-2019-9012, CVE-2020-7052, CVE-2019-13532, CVE-2018-20025, CVE-2018-0739, CVE-2018-10612, CVE-2017-3735, CVE-2018-20026, CVE-2019-9010, and CVE-2010-5250. Organizations operating affected controllers should immediately upgrade to firmware version 2.4.2.0 to mitigate these critical security risks.

Festo is reporting that patches will not be developed for a significant group of 19 vulnerabilities including several critical-severity issues. For CVE-2020-12068, CVE-2022-22515, CVE-2022-22514, CVE-2022-22513, CVE-2021-36763, CVE-2021-33485, CVE-2020-10245, CVE-2020-15806, CVE-2019-9011, CVE-2019-9013, CVE-2020-12067, CVE-2020-12069, CVE-2021-36764, CVE-2019-5105, CVE-2021-29241, CVE-2021-29242, CVE-2022-22519, CVE-2022-22517, and CVE-2018-0739, Festo states that "no fix planned" and that "this issue will be handled with next hardware generation release." This decision leaves organizations operating current-generation CECC controllers with no direct patch available for multiple critical remote code execution and authentication bypass vulnerabilities, forcing reliance on network-level mitigations and compensating controls.

CISA strongly recommends that organizations implement network segmentation and access control measures to minimize exposure of vulnerable controllers. All industrial control system devices must not be directly accessible from the internet, and should be isolated from corporate IT networks to prevent lateral movement from compromised business systems.