iba: Deserialization vulnerability in ibaPDA and ibaDatCoordinator

A vulnerability has been identified in ibaPDA and ibaDatCoordinator. The affected applications do not properly restrict the .NET BinaryFormatter when deserializing client-server input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected applications. This is the same issue that exists for the .NET BinaryFormatter: docs.microsoft.com/en-us/visualstudio....

Remote Code Execution (RCE) running under the service user account, thereby allowing privilege escalation.

Restrict connections to localhost
- (Info: Applies only to ibaPDA. For ibaDatCoordinator, continue with the next step.) Go to I/O Manager → General and deactivate the option "Automatically open necessary ports in Windows Firewall." (If this option remains active, after a restart of ibaPDA or a restart for data acquisition, the firewall will be reconfigured automatically.)
- Then go to Advanced Windows Firewall settings and delete or deactivate all incoming rules for the ibaPDA / ibaDatCoordinator Client and Server.
- Create manual firewall rules for the connection you use for ibaPDA or ibaDatCoordinator and verify that you have the correct ports configured. Help regarding which ports the ibaPDA or ibaDatCoordinator Service uses can be found in the iba Help Center.

Important: After the change, verify that all ibaPDA or ibaDatCoordinator services are working as expected and that the data acquisition is functioning correctly.

Update to the fixed versions listed below:
- ibaPDA v8.14.0
- ibaDatCoordinator v4.0.7

iba AG thanks the following parties for their efforts:

• CERT@VDE for coordination (see https://certvde.com )
• Security Researchers from tenable for reporting (see https://www.tenable.com )