Share: Email | Twitter

ID

VDE-2024-064

Published

2024-10-31 12:00 (CET)

Last update

2024-10-31 08:31 (CET)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
TwinCAT Package Manager < 1.0.603.0

Summary

Beckhoff's TwinCAT 3.1 Build 4026 software is modularized and is installed with different packages depending on user requirements. These packages are selected and installed using either the command line utility tcpkg or the corresponding graphical user interface called TwinCAT Package Manager. Both use the same configuration that specifies where to load packages from. These locations are called feeds, have preconfigured default settings and can be customized by administrative users, for example to add another local mirror of a package server. When using the TwinCAT Package Manager on a PC, a user with administrative access rights can locally set a specially crafted URL for a feed that causes the TwinCAT Package Manager to execute arbitrary operating system commands.


Last Update:

8. November 2024 09:03

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  (CWE-78) 

Summary

A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.


Impact

A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.

Solution

Mitigation

Administrative users shall always act thoroughly and inspect the values which they enter.

Remediation

Please update to a recent version of the affected product.

Reported by

CERT@VDE coordinated with Beckhoff

Beckhoff Automation GmbH & Co. KG thanks elcazator from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc. for Reporting.