CVE-2020-12494

Beckhoff: Etherleak in TwinCAT RT network driver

Description

Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.

Remediation

Workaround:

  • If no real-time communication from TwinCAT is required on the Ethernet interface, then users can alternatively re-configure them to use the Intel ® driver, which is shipped with Beckhoff images. Customers should configure a perimeter firewall to block traffic from untrusted networks to the device, especially regarding ICMP and other small ethernet frames. Beckhoff offers software patches for TwinCAT 3.1 and TwinCAT 2.11 on request. These patches will be included in the the next regular releases to the affected software versions. The advisory will be updated upon availability.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.12%
Third-Party Advisory vde.com
Affected: Beckhoff TwinCat Driver for Intel 8254x (Tcl8254x.sys)
Affected: Beckhoff TwinCat Driver for Intel 8255x (Tcl8255x.sys)
Published at:
Updated at:

References

Link Tags
https://cert.vde.com/en-us/advisories/vde-2020-019 third party advisory

Frequently Asked Questions

What is the severity of CVE-2020-12494?
CVE-2020-12494 has been scored as a medium severity vulnerability.
How to fix CVE-2020-12494?
As a workaround for remediating CVE-2020-12494: If no real-time communication from TwinCAT is required on the Ethernet interface, then users can alternatively re-configure them to use the Intel ® driver, which is shipped with Beckhoff images. Customers should configure a perimeter firewall to block traffic from untrusted networks to the device, especially regarding ICMP and other small ethernet frames. Beckhoff offers software patches for TwinCAT 3.1 and TwinCAT 2.11 on request. These patches will be included in the the next regular releases to the affected software versions. The advisory will be updated upon availability.
Is CVE-2020-12494 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-12494 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-12494?
CVE-2020-12494 affects Beckhoff TwinCat Driver for Intel 8254x (Tcl8254x.sys), Beckhoff TwinCat Driver for Intel 8255x (Tcl8255x.sys).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.