Summary
A critical vulnerability has been discovered in the fdtCONTAINER component by M&M Software GmbH used by PACTware.
While de-serializing PACTware 5 project files (loading PW5 files) the vulnerability can be exploited to execute arbitrary code.
Impact
An attacker might be able to exploit the vulnerability on the workstation running PACTware 5 by supplying/providing a manipulated project file. If that project file is loaded, malicious code can be executed without notice.
For more information see:
VDE-2020-048: M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Software PACTware 5.0 <=5.0.5.31 | Software PACTware 5.0 <=5.0.5.31 |
Vulnerabilities
Expand / Collapse allM&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
Mitigation
Exchange project data only via secure exchange services
Use appropriate means to protect the project storage from unauthorized
manipulation
Do not open project data from an unknown source
Reduce the user rights of the host application to the necessary minimum
Remediation
A fix for the issue will be provided with PACTware 6 in Q2 2021 which includes the proposed solution by M&M based on FDT Container component version >= 3.6.20304.x.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 15.01.2021 13:41 | Initial revision. |
| 2 | 14.05.2025 14:28 | Fix: version space, added distribution |