Back to overview

Endress+Hauser: Multiple products are vulnerable to code injection

VDE-2024-041
Last update
09/10/2024 10:00
Published at
09/10/2024 10:00
Vendor(s)
Endress+Hauser AG
External ID
VDE-2024-041
CSAF Document
Download

Summary

Echo Curve Viewer is an utility used for offline visualization of previously recorded envelope curve data. Envelope curve records are exported from other Endress+Hauser software products like FieldCare as .curves files.

Echo Curve Viewer opens .curves files and displays their contents. The .curves files contain device- specific C# calculation scripts as .cs files, that are needed for the interpretation of certain curve record types.

Echo Curve Viewer loads .curves files and executes the contained C# code.

Impact

.curves files are not authenticated and universally trusted by the Echo Curve Viewer. Therefore, the contained C# code is executed without further authentication or validation.

Potential attack vector: manipulated .cs files with malicious C# code may be included in .curves file.

Affected Product(s)

Model no. Product name Affected versions
Echo Curve Viewer <=5.2.2.6 Echo Curve Viewer <=5.2.2.6
Field Xpert SMT50 <=SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03 Field Xpert SMT50 <=SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03
Field Xpert SMT70 <=SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01 Field Xpert SMT70 <=SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01
Field Xpert SMT77 <=SMT77_Win10_SAC_22H2_v1.08.04_RC03_02 Field Xpert SMT77 <=SMT77_Win10_SAC_22H2_v1.08.04_RC03_02
Field Xpert SMT79 <=V1.08.02-1.8.8684.34292 Field Xpert SMT79 <=V1.08.02-1.8.8684.34292
FieldCare SFE500 Package USB <=V1.40.00.7448 FieldCare SFE500 Package USB <=V1.40.00.7448
FieldCare SFE500 Package Web-Package <=V1.40.00.7448 FieldCare SFE500 Package Web-Package <=V1.40.00.7448

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary

An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context.

References
cve.org | nvd.nist.gov

Remediation

  • For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version >=6.00.00 from the Endress+Hauser Software Portal
  • For bundled installations with FieldCare SFE500, download and install FieldCare SFE500 Package version >= 1.40.1 from the Endress+Hauser Software Portal external link
  • For Field Xpert Devices, the required update is installed automatically during startup. This requires a
    working internet connection and (under certain circumstances) a valid maintenance period and/or a
    connection to the E+H Netilion Cloud. Please refer to the Field Xpert documentation for details regarding
    the update mechanism.

Revision History

Version Date Summary
1 09/10/2024 10:00 Initial revision.