Beckhoff's TwinCAT 3 Engineering software is intented to craft automation projects consisting of a set of files which are stored locally as files underneath an individual folder or in a packed file. The TwinCAT 3 Engineering stores user settings and preferences among the non packed local files which are relevant to continue former work on the project conventienly. TwinCAT 3 Engineering stores such settings in files which are called "Solution User Options (.suo) File". When such settings are manipulated or crafted by an adversary in a specific way then TwinCAT 3 Engineering executes arbitrary commands as determined by these settings when the user uses TwinCAT 3 Engineering to open the project. These arbitrary commands are executed in the user context.

Please note that solution user option files should not be checked in to source code control. This is also a best practice when working with source code projects and solutions. For example, see https://learn.microsoft.com/en-us/visualstudio/extensibility/internals/solution-user-options-dot-suo-file and https://infosys.beckhoff.com/content/1033/tc3_sourcecontrol/14604066827.html.

The vulnerability is similar to older vulnerabilities that were addressed in the CODESYS Development System V3 product from CODESYS GmbH with CVE-2021-21864, CVE-2021-21865, CVE-2021-21866, CVE-2021-21867, CVE-2021-21868, CVE-2021-21869, and the associated Advisory 2021-13 from CODESYS GmbH.

Beckhoff's TwinCAT 3.1 Build 4026 software is modularized and is installed with different packages depending on user requirements. These packages are selected and installed using either the command line utility tcpkg or the corresponding graphical user interface called TwinCAT Package Manager. Both use the same configuration that specifies where to load packages from. These locations are called feeds, have preconfigured default settings and can be customized by administrative users, for example to add another local mirror of a package server. When using the TwinCAT Package Manager on a PC, a user with administrative access rights can locally set a specially crafted URL for a feed that causes the TwinCAT Package Manager to execute arbitrary operating system commands.

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, the user can bypass input validation by entering specially crafted inputs into the user interface for certain pages, which then allows local commands to be executed with administrative privileges.

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, a user can post specifically crafted input which then lets the process “MDPWebServer” consume a maximum of CPU cycles and Random Access Memory (RAM).

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, the authentication mechanism for the web interface can be bypassed by any local user, regardless of their permissions, and they can act with administrative access rights via this mechanism.

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, a user can post specifically crafted input which then causes a buffer overflow on stack which in turn lets the process “MDPService” crash such that the web interface becomes unavailable until next restart or even execute code in the context of user “root”. 

With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.

By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.