Back to overview

M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer

VDE-2020-048
Last update
01/14/2021 15:57
Published at
01/14/2021 15:57
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2020-048
CSAF Document
Download

Summary

The fdtCONTAINER component is integrated into an application (host application). The fdtCONTAINER application is a specific host application which integrates the fdtCONTAINER component.

The fdtCONTAINER component exchanges binary data blobs with such a host application. Typically, the host application saves these binary data blobs into a project storage (project file or a project database).

To manipulate the data inside the project storage, the attacker needs write access to this project storage. Additionally, the manipulated project needs to be opened by the host application. It depends on the host application whether opening the project requires a user action or not. In
fdtCONTAINER applications, the user has to open the manipulated project file manually.

In the case of opening a stored project, the deserialization of the manipulated data can be exploited.

Impact

The engineering workstation, on which the host application is executed, might execute malicious code with the user rights of the host application.

Affected Product(s)

Model no. Product name Affected versions
dtmINSPECTOR bBased on FDT 1.2.x 3 dtmINSPECTOR bBased on FDT 1.2.x 3
fdtCONTAINER application 4.5.0<4.5.20304.x fdtCONTAINER application 4.5.0<4.5.20304.x
fdtCONTAINER application 4.6.0<4.6.20304.x fdtCONTAINER application 4.6.0<4.6.20304.x
fdtCONTAINER application <4.5 fdtCONTAINER application <4.5
fdtCONTAINER component 3.5.0<3.5.20304.x fdtCONTAINER component 3.5.0<3.5.20304.x
fdtCONTAINER component 3.6.0<3.6.20304.x fdtCONTAINER component 3.6.0<3.6.20304.x
fdtCONTAINER component <3.5 fdtCONTAINER component <3.5

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weakness
Deserialization of Untrusted Data (CWE-502)
Summary

M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.

References
cve.org | nvd.nist.gov

Mitigation

  • Exchange project data only via secure exchange services
  • Use appropriate means to protect the project storage from unauthorized manipulation
  • Do not open project data from an unknown source
  • Reduce the user rights of the host application to the necessary minimum

Remediation

M&M provides two technical solution options. Customers may choose between the following:

Option 1:

Update the fdtCONTAINER component or fdtCONTAINER application to a version that offers more secure deserialization of project data.

  • This version still uses a deprecated serialization technology,
    but fixes the currently known attack vector.
  • It remains compatible with existing, non-manipulated project files.

Implemented in:
- fdtCONTAINER component: 3.6.20304.x – < 3.7
- fdtCONTAINER application: 4.6.20304.x – < 4.7

Option 2:

Update the fdtCONTAINER component or fdtCONTAINER application to a version that uses an updated serialization technology for deserialization.

  • This option ensures secure handling of project data.
  • Incompatible with existing, non-manipulated project files.

Implemented in:
- fdtCONTAINER component: ≥ 3.7
- fdtCONTAINER application: ≥ 4.7

The fixed version of dtmINSPECTOR will also apply Option 2
and is planned to be available in Q1 2021.

Revision History

Version Date Summary
1.0.0 01/14/2021 15:57 initial revision