VDE-2024-018 | CERT@VDE

2024-02-28 08:00 (CET) VDE-2024-018

Wiesemann & Theis: Multiple products prone to unquoted search path (Update A)

Share: Email | Twitter

ID

VDE-2024-018

Published

2024-02-28 08:00 (CET)

Last update

2024-03-07 09:50 (CET)

Vendor(s)

Wiesemann & Theis GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
00102	Com Redirector Legacy	<= 3.93
00111	Com Redirector PnP	<= 4.42
00103	OPC-Server	<= 4.88

Summary

Multiple Wiesemann & Theis software products are affected by a vulnerability through an unquoted search path in the Windows registry. A local attacker can execute arbitrary code and gain administrative privileges by inserting an executable file in the path of the affected product.

Update A, 07.03.2024

Incorrect version numbers have been corrected.

CVE ID

CVE-2024-25552

Last Update:

30. August 2024 09:25

Severity

7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness

Unquoted Search Path or Element (CWE-428)

Summary

A local attacker can gain administrative privileges by inserting an executable file in the path of the affected product.

Details

cert.vde.com

Impact

A local attacker can execute arbitrary code through the affected products and gain administrative privileges by inserting an executable file in a specific path.

Solution

Remediation

Update Com Redirector Legacy to version 3.94 or higher (Art.No. 00102)
Update Com Redirector PnP to version 4.43 or higher (Art.No. 00111)
Update OPC-Server to version 4.89 or higher (Art.No. 00103)

Reported by

CERT@VDE coordinated with Wiesemann & Theis