CVE-2021-31889

Name of the Vulnerable Software and Affected Versions Capital Embedded AR Classic 431-422 versions all Capital Embedded AR Classic R20-11 versions prior to V2303 PLUSCONTROL 1st Gen versions all SIMOTICS CONNECT 400 versions prior to V0.5.0.0 APOGEE MBC versions all APOGEE MEC versions all APOGEE PXC versions all TALON TC versions all Nucleus NET versions all Nucleus ReadyStart V3 versions prior to V2017.02.4 Nucleus Source Code versions all Capital VSTAR versions all

Description A vulnerability has been identified that is related to errors in processing the SACK parameter of TCP packets. This can lead to Information Leaks and Denial-of-Service conditions when malformed TCP packets with a corrupted SACK option are sent. The issue can be exploited remotely.

Recommendations For Capital Embedded AR Classic 431-422, update to a version that fixes the issue. For Capital Embedded AR Classic R20-11, update to version V2303 or later. For PLUSCONTROL 1st Gen, consider disabling the use of TCP packets with the SACK option until a patch is available. For SIMOTICS CONNECT 400, update to version V0.5.0.0 or later. For APOGEE MBC, APOGEE MEC, APOGEE PXC, and TALON TC, restrict access to the SACK parameter in TCP packets to minimize the risk of exploitation. For Nucleus NET, Nucleus ReadyStart V3, and Nucleus Source Code, update to a version that fixes the issue or apply configuration changes to mitigate the risk. For Capital VSTAR, update to a version that fixes the issue or consider temporarily disabling the vulnerable component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some of the affected products.