Festo: Several vulnerabilities in FactoryViews

FactoryViews bundles many third-party applications which are used in background processes to provide the software's features. From time to time, vulnerabilities in these bundled applications are discovered. These are typically fixed in newer versions of FactoryViews by updating the bundled applications.

FactoryViews versions up to and including 1.5.2 contain around 200 such vulnerabilities listed in this advisory.
Version 1.6.0 is a security rollup release which includes updates to all bundled applications and fixes these vulnerabilities.

At this time, FactoryViews Lite cannot be updated beyond version 1.1.
FactoryViews 1.7 will unify non-Lite and Lite versions and fix these vulnerabilities for users of FactoryViews Lite.



Frauscher Diagnostic System FDS001 for FAdC R1 and FAdCi R1 v1.3.3 and all previous versions are vulnerable to a path traversal vulnerability of the web interface by a crafted URL without authentication.



An authenticated attacker can send a malformed packet to trigger a device crash via the CODESYS V2 runtime commands parsing.

Update: 08.07.2024 release date of the updates has been changed.



An unauthenticated attacker with network access to port 502/TCP of the target device can cause a denial-of-service condition by sending multiple specially crafted packets. The MODBUS server does not properly release memory resources that were reserved for incomplete connection attempts by MODBUS clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the MODBUS server.



The FL MGUARD family of devices is affected by two vulnerabilities.



Two vulnerabilites have been discovered in myREX24 and myREX24.virtual in all versions through 2.13.3.



Two vulnerabilites have been discovered in mbCONNECT24 and mbCONNECT24 in all versions through 2.13.3.



The “legal information” plugin of web-based-management contained a vulnerability which allowed execution of arbitrary commands with privileges of www user.

UPDATE A 15.06.2023 :

  • Removed PFC100 with FW23 as affected product and from solution
  • PFC200 with FW23 is only affected on 750-821x/xxx-xxx
  • Renamed "FW22 Patch 1" to "FW22 SP1" to match the versions of the download portal



Feeds

Nach Hersteller

Archiv

2024
2023
2022
2021
2020
2019
2018
2017

Legende

(Scoring für CVSS 2.0,3.0+3.1)
keine
Kein CVE verfügbar
Niedrig
0.1 <= 3.9
Mittel
4.0 <= 6.9
Hoch
7.0 <= 8.9
Kritisch
9.0 <= 10.0