Pilz: Multiple products prone to Niche Ethernet Stack vulnerabilities

Act Now9.1VDE-2021-009Sep 20, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Pilz safety controllers and I/O modules use a third-party TCP/IP implementation (Niche Ethernet Stack) that contains critical vulnerabilities. Affected products include PNOZ mxp, PNOZ m B1, PNOZ m ES ETH, PNOZ mmc1p ETH, and PSSu-Module systems. These vulnerabilities allow remote code execution over the network without authentication. Most affected products cannot be firmware-updated in the field; only PSSu-Module for PSS 4000 has a vendor patch available (version 1.22.2).

What this means

What could happen

An attacker on the network could execute remote code on Pilz safety controllers and decentralised I/O modules, potentially altering safety interlocks, process setpoints, or stopping critical equipment. Confidentiality and integrity of safety-critical operations could be compromised.

Who's at risk

Water authorities and electric utilities using Pilz safety controllers and decentralised I/O modules—specifically PNOZ mxp, PNOZ m, PNOZ mmc1p, and PSSu-Module systems in safety-critical interlocks, emergency stop chains, and process monitoring. Any facility relying on these Pilz products for machinery safety or operational safeguards is affected.

How it could be exploited

An attacker with network access to an affected Pilz device can send specially crafted TCP/IP packets to exploit vulnerabilities in the embedded Niche Ethernet Stack. The attacker does not need valid credentials or user interaction. Exploitation could lead to arbitrary code execution on the safety controller.

Prerequisites

Network access to affected Pilz device on TCP/IP ports
No authentication required
Device must be connected to a network accessible from the attacker

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)no patch available for most productsaffects safety systems

Affected products (6)

1 with fix5 EOL

ProductAffected VersionsFix Status

PSSu-Module for PSS 40001.22.21.22.2

Base-Device PNOZ mxp ETH (PNOZmulti Classic)All versionsNo fix (EOL)

PNOZ m B1<v1.8No fix (EOL)

PNOZ m ES ETH<v1.2No fix (EOL)

PNOZ mmc1p ETHAll versionsNo fix (EOL)

PSSu-Module for decentralised E/A-SystemAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDeploy firewall rules to restrict network access to affected Pilz devices—allow only trusted engineering workstations and authorized systems to communicate on TCP/IP ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

PSSu-Module for PSS 4000

HOTFIXUpdate PSSu-Module for PSS 4000 firmware to version 1.22.2 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Base-Device PNOZ mxp ETH (PNOZmulti Classic), PNOZ m B1, PNOZ m ES ETH, PNOZ mmc1p ETH, PSSu-Module for decentralised E/A-System. Apply the following compensating controls:

HARDENINGIsolate affected Pilz safety controllers and I/O modules on a separate network segment or VLAN, restricting connections from general plant network

HARDENINGImplement network monitoring to detect unauthorized TCP/IP communication attempts to Pilz devices

CVEs (5)

CVE-2020-35685 CVE-2021-31401 CVE-2021-31400 CVE-2020-35684 CVE-2020-35683

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/33e5c2b9-ad29-40e2-b6ae-bb963a0954a4