Beckhoff: EtherLeak in TwinCAT RT network driver

MonitorCVSS 5.3VDE-2020-019Jun 16, 2020

Beckhoff

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Beckhoff TwinCAT RT network driver for Intel 8254x and 8255x processors leaks arbitrary memory content in Ethernet frame padding. When the driver sends non-real-time Ethernet frames with payloads smaller than the minimum frame size, it does not pad them with zeros; instead, uninitialized memory is transmitted in the padding bytes. This memory likely contains fragments from previously transmitted or received frames, potentially exposing configuration data, credentials, or process information. The vulnerability affects TwinCAT 2.11 and 3.1 with affected driver versions up to 2.11.0.2120, 3.1.0.3512, 3.1.0.3603 (8254x) and 2.11.0.2117, 3.1.0.3600, 3.1.0.3500 (8255x).

What this means

What could happen

An attacker on the network can capture sensitive data (configuration, credentials, or process data) that leaks in the padding bytes of Ethernet frames sent by TwinCAT controllers. This is a low-risk information disclosure with no direct impact on operations unless the leaked data is exploited separately.

Who's at risk

Facilities running Beckhoff TwinCAT 2.11 or 3.1 with Intel 8254x or 8255x network drivers for EtherCAT automation control. This affects industrial automation systems in manufacturing, water/wastewater treatment, and power generation that use Beckhoff PLCs or embedded controllers for real-time process control.

How it could be exploited

An attacker with network access to the Ethernet segment where TwinCAT controllers are running can passively sniff traffic and extract sensitive memory contents from the padding bytes of non-real-time Ethernet frames. No active attack or authentication is required—only the ability to observe network traffic.

Prerequisites

Network access to the same Ethernet segment as the TwinCAT controller (ability to sniff traffic)
TwinCAT controller using Intel 8254x or 8255x network driver sending non-real-time Ethernet frames

remotely exploitableno authentication requiredlow complexityinformation disclosure (sensitive data leak)affects automation controllers

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

TwinCAT Driver for Intel 8254x TwinCAT 2.11 2350 <=2.11.0.2120≤ 2.11.0.2120Fix available

TwinCAT Driver for Intel 8254x TwinCAT 3.1 4022 <=3.1.0.3512≤ 3.1.0.3512Fix available

TwinCAT Driver for Intel 8254x TwinCAT 3.1 4024 <=3.1.0.3603≤ 3.1.0.3603Fix available

TwinCAT Driver for Intel 8255x TwinCAT 2.11 2350 <=2.11.0.2117≤ 2.11.0.2117Fix available

TwinCAT Driver for Intel 8255x TwinCAT 3.1 402 <=3.1.0.3600≤ 3.1.0.3600Fix available

TwinCAT Driver for Intel 8255x TwinCAT 3.1 4024 <=3.1.0.3500≤ 3.1.0.3500Fix available

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGConfigure perimeter firewall to block untrusted network traffic to TwinCAT controllers, especially ICMP and small Ethernet frames

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor patches for TwinCAT 2.11 or TwinCAT 3.1 when released by Beckhoff (contact vendor to request patch availability)

WORKAROUNDReconfigure Ethernet interfaces to use the Intel driver instead of the Beckhoff TwinCAT driver if real-time EtherCAT communication is not required

Long-term hardening

0/1

HARDENINGSegment TwinCAT controllers from untrusted networks using network isolation or VLAN rules

CVEs (1)

CVE-2020-12494

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9c3dc0e6-ba36-43fa-8999-71ef50e6eb44

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.