| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| authelia-bhf included in TwinCAT/BSD | < 4.37.5 |
With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.
The package authelia-bhf included in Beckhoffs TwinCAT/BSD is prone to an open redirect that allows a remote unprivileged attacker to redirect a user to another site. This may have limited impact to integrity and does solely affect anthelia-bhf the Beckhoff fork of authelia.
By default TwinCAT/BSD based products have Authelia installed and configured to perform the user authentication for web applications hosted on a target. This installation and configuration is provided with the package named “authelia-bhf”. With the affected versions of the package Authelia is configured to accept user-controlled input via URL parameter that specifies a link which can then be a link to an arbitrary external site.
Please note: The sources for the package “authelia-bhf” are a fork from the original Open Source Software called “Authelia”. The vulnerability was exclusively introduced with that fork and has been removed there. It never became part of “Authelia”.
Mitigation
Use firewall or web-proxy technology at your network perimeter which allow internal clients to access only trusted external sites directly.
Remediation
Please update to a recent version of the affected product.
Beckhoff Automation thanks Benedikt Kühne, Siemens Energy for reporting the issue and for support and efforts with the coordinated disclosure. Also Beckhoff Automation thanks CERT@VDE for coordination.
The Beckhoff Advisory can be found at https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2023-001.pdf