Beckhoff: BK9000 couplers - Denial of service inhibits function

Monitor7.5VDE-2020-005Mar 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The BK9000 coupler has a denial-of-service vulnerability (CWE-400) where network traffic from untrusted sources can inhibit its function, causing the device to stop processing data and halt communication with connected I/O terminals. This affects all versions of the BK9000. The vendor has stated this behavior will not be changed and recommends perimeter firewall protection as the mitigation.

What this means

What could happen

An attacker could send network packets to the BK9000 coupler, causing it to stop processing data and halting communication with connected I/O devices. This will interrupt production or safety-critical processes that depend on the coupler.

Who's at risk

Operators of Beckhoff BK9000 coupler-based automation systems should care, including manufacturing facilities, water treatment plants, and utilities that use these couplers to control distributed I/O terminals and communicate with PLCs or other control devices.

How it could be exploited

An attacker with network access to the BK9000 coupler (port details not specified in advisory) can send specially crafted packets that trigger a denial-of-service condition, causing the device to become unresponsive and cease normal operation.

Prerequisites

Network access to the BK9000 coupler from an untrusted network segment or the internet
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects automation/control systems

Affected products (1)

ProductAffected VersionsFix Status

BK9000All versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDConfigure firewall rules to block all traffic from untrusted networks to the BK9000 coupler

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network access controls to restrict which IP addresses and devices can communicate with the coupler

Long-term hardening

0/1

HARDENINGSegment the automation network: isolate BK9000 couplers on a trusted, internal network separate from corporate IT and guest networks

CVEs (1)

CVE-2020-9464

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/68e6eac3-3824-48e1-a734-629a1adac7ec