CVE-2014-5414

Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

Weakness

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Affected Software

Potential Mitigations

• Common protection mechanisms include:

• Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

• Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/16.html
• https://cwe.mitre.org/data/definitions/49.html
• https://cwe.mitre.org/data/definitions/560.html
• https://cwe.mitre.org/data/definitions/565.html
• https://cwe.mitre.org/data/definitions/600.html
• https://cwe.mitre.org/data/definitions/652.html
• https://cwe.mitre.org/data/definitions/653.html

References

• http://www.securityfocus.com/bid/93349
• https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf
• https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf
• https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf
• https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2016/icsa-16-278-02.json
• https://www.cisa.gov/news-events/ics-advisories/icsa-16-278-02
• http://www.securityfocus.com/bid/93349
• https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02