Details
-
Type: Bug
-
Status: Closed
-
Priority: Minor
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: V3.8.5.0
-
Component/s: None
-
Labels:None
-
Account:SPC EthernetIp Core (SPCETHERNET)
Description
According to the Spec. Vol8 4-3.1.3:
After a device’s CIP Security Object has attained the CONFIGURED state, changes to the security related objects must be performed over a CIP Security connection. The following CIP Objects are considered security related:
-
CIP Security Object (0x5D)
-
EtherNet/IP Security Object (0x5E)
-
Certificate Management Object (0x5F)
-
File Object (0x37)
-
TCP/IP Object (0xF5)
-
Ethernet Link Object (0xF6)
-
Ingress Egress Object (0x63)
Access to a security related object or service outside of a CIP Security connection will return an Error Response code with status code 0x0F ‘Privilege violation’. It is at the vendor’s discretion to determine what additional objects and services are to be considered security related. The vendor is free to enforce a requirement that these services on security related objects only be performed over a CIP Security connection once the CIP Security Object has attained the CONFIGURED state on the device.
The stack currently only uses the Ingress/Egress Object for this purpose which doesn’t comply with this requirement. The stack must use the CIP Security state to filter non-TLS communications independent of the existence of the Firewall Profile. The Firewall is only to fine tune the behavior.
Acceptance Criteria:
- CT20 does not complain about services that are accepted while being in CIP Security CONFIGURED state.
- Python tests are adapted/expanded and pass.
- Migration notes are available.
Behavior before and after this change shall be described.