Share: Email | Twitter

ID

VDE-2024-049

Published

2024-08-27 10:00 (CEST)

Last update

2024-08-27 08:57 (CEST)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
IPC Diagnostics package < 2.0.0.1
TwinCAT/BSD < 14.1.2.0_153968

Summary

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, a user can post specifically crafted input which then lets the process “MDPWebServer” consume a maximum of CPU cycles and Random Access Memory (RAM).


Last Update:

30. August 2024 09:21

Weakness

Allocation of Resources Without Limits or Throttling  (CWE-770) 

Summary

The IPC-Diagnostics package included in TwinCAT/BSD is vulnerable to a local denial-of-service attack by a low privileged attacker.


Impact

A local, low privileged attacker could cause a denial-of-service.

Solution

Mitigation

Avoid the existence of user accounts with login permission on the target other than administrator access.
By default, TwinCAT/BSD has preconfigured user accounts with lower privileges, but none of them have a
password, which results in them being denied remote access. Avoid running third-party applications on the target
that have not been properly audited, regardless of the user they are running as.

Remediation

Please update to a recent version of the affected product. In general, Beckhoff recommends updating the entire
TwinCAT/BSD operating system to a current version rather than individual packages. Information on updating
existing TwinCAT/BSD installations is available here. There you will also find information on how to determine
the operating system version via the command line. This is also visible via the Beckhoff Device Manager UI.
Please note that when updating from the TwinCAT/BSD major version 12, two consecutive upgrades are required.

Reported by

Reported by Andrea Palanca of Nozomi Networks
CERT@VDE coordinated with Beckhoff