Summary
Beckhoff's TwinCAT 3.1 Build 4026 software is modularized and is installed with different packages depending on user requirements. These packages are selected and installed using either the command line utility tcpkg or the corresponding graphical user interface called TwinCAT Package Manager. Both use the same configuration that specifies where to load packages from. These locations are called feeds, have preconfigured default settings and can be customized by administrative users, for example to add another local mirror of a package server. When using the TwinCAT Package Manager on a PC, a user with administrative access rights can locally set a specially crafted URL for a feed that causes the TwinCAT Package Manager to execute arbitrary operating system commands.
Impact
A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| TwinCAT Package Manager <1.0.603.0 | TwinCAT Package Manager <1.0.603.0 |
Vulnerabilities
Expand / Collapse allMitigation
Administrative users shall always act thoroughly and inspect the values which they enter.
Remediation
Please update to a recent version of the affected product.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 31.10.2024 12:00 | initial revision |
| 2 | 16.01.2025 11:30 | Fix: list of branches, references |
| 3 | 11.04.2025 09:00 | Fix: version range |