Summary
Vulnerabilities in .NET and Visual Studio functions System.Text.Json, System.Formats.Asn1, OPCFoundation.NetStandard.Opc.Ua.Core allow an remote attacker to execute a Denial-of-Servce attack.
Impact
Availability of an application programming workstation might be compromised by attacks using these vulnerabilities.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 1046008 | PLCnext Engineer <2024.0.4 LTS | PLCnext Engineer <2024.0.4 LTS |
| 1046008 | PLCnext Engineer <2024.6 | PLCnext Engineer <2024.6 |
Vulnerabilities
Expand / Collapse all.NET and Visual Studio Denial of Service Vulnerability.
Details: msrc.microsoft.com/update-guide/vulne...
A buffer-management vulnerability in OPC Foundation OPCFoundation.NetStandard.Opc.Ua.Core before 1.05.374.54 could allow remote attackers to exhaust memory resources. It is triggered when the system receives an excessive number of messages from a remote source. This could potentially lead to a denial of service (DoS) condition, disrupting the normal operation of the system.
.NET Core and Visual Studio Denial of Service Vulnerability.
Details: msrc.microsoft.com/update-guide/vulne...
Mitigation
To mitigate the vulnerabilities and to ensure the availability of the PLCnext Engineer please ensure that only data from trusted sources are used.
Remediation
Phoenix Contact recommends affected users to update to the current PLCnext Engineer 2024.0.4 LTS or 2024.6 which fixes the vulnerabilities.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 08.10.2024 12:00 | A new PLCnext Engineer releases fixes known vulnerabilities in open-source libraries utilized by PLCnext Engineer. |
| 2 | 30.10.2024 14:00 | no security related changes revamped product tree |
| 3 | 06.11.2024 12:27 | Fix: added self-reference |
| 4 | 10.04.2025 15:00 | Fixed self-reference url |
| 5 | 14.05.2025 15:00 | Fix: added distribution |