### Critical Vulnerability Information #### Vulnerability Overview - **CVE IDs**: CVE-2014-3101, CVE-2014-3102, CVE-2014-3103, CVE-2014-3104, CVE-2014-3105 - **CWE IDs**: CWE-287 (Improper Authentication), CWE-284 (Improper Access Control), CWE-286 (Improper Privilege Management) #### Affected Products - Festo CECX-X-(C1/M1) Controller with CoDeSys and GoGoS MultiVisu - Festo CECX-X-(C1/M1) Controller with CoDeSys and GoGoS WebVisu #### Vulnerability Details - **CVE-2014-3101**: Unauthorized access to HTTP service, allowing attackers to bypass authentication and take control of the device. - **CVE-2014-3102**: Two TCP/IP service ports (Port 4900 and Port 6000) allow unauthorized access and configuration modification. - **CVE-2014-3103**: Directory traversal vulnerability in GoGoS MultiVisu v2.05, enabling reading of arbitrary files. - **CVE-2014-3104**: Command injection vulnerability in GoGoS MultiVisu v2.05, enabling execution of arbitrary commands. - **CVE-2014-3105**: Directory traversal vulnerability in GoGoS WebVisu v2.05, enabling reading of arbitrary files. #### Exploitability - These vulnerabilities can be exploited remotely over the network. #### Known Exploits - Publicly available exploit code for these vulnerabilities exists. #### Mitigation Measures - Festo recommends the following actions: - Place controllers in a controlled environment and ensure only authorized personnel can access them. - Keep control systems on internal networks, avoiding direct access from commercial networks. - Use firewalls to block external access to ports 4900 and 6000. - Disable unnecessary services such as HTTP, FTP, etc. - Update to the latest software and firmware versions. - Follow industrial control system security guidelines provided by ICS-CERT.