VDE-2020-048 | CERT@VDE

2021-01-14 15:57 (CET) VDE-2020-048

M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer

Share: Email | Twitter

ID

VDE-2020-048

Published

2021-01-14 15:57 (CET)

Last update

2021-01-14 15:57 (CET)

Vendor(s)

M&M Software (WAGO)

Product(s)

Article No°	Product Name	Affected Version(s)
	dtmINSPECTOR bBased on FDT 1.2.x	= 3
	fdtCONTAINER application	< 4.5
	fdtCONTAINER application	4.5.0 < 4.5.20304.x
	fdtCONTAINER application	4.6.0 < 4.6.20304.x
	fdtCONTAINER component	< 3.5
	fdtCONTAINER component	3.5.0 < 3.5.20304.x
	fdtCONTAINER component	3.6.0 < 3.6.20304.x

Summary

The fdtCONTAINER component is integrated into an application (host application). The fdtCONTAINER application is a specific host application which integrates the fdtCONTAINER component.

The fdtCONTAINER component exchanges binary data blobs with such a host application. Typically, the host application saves these binary data blobs into a project storage (project file or a project database).

To manipulate the data inside the project storage, the attacker needs write access to this project storage. Additionally, the manipulated project needs to be opened by the host application. It depends on the host application whether opening the project requires a user action or not. In
fdtCONTAINER applications, the user has to open the manipulated project file manually.

In the case of opening a stored project, the deserialization of the manipulated data can be exploited.

CVE ID

CVE-2020-12525

Last Update:

March 16, 2021, 9:37 a.m.

Severity

7.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Weakness

Deserialization of untrusted data (CWE-502)

Details

nvd.nist.gov

Impact

The engineering workstation, on which the host application is executed, might execute malicious code with the user rights of the host application.

Solution

Mitigation

Exchange project data only via secure exchange services
Use appropriate means to protect the project storage from unauthorized manipulation
Do not open project data from an unknown source
Reduce the user rights of the host application to the necessary minimum

Remediation

M&M provides option between two technical solutions. Customers may choose between these two options.

Option 1
Update the fdtCONTAINER component / fdtCONTAINER application to a version that provides a more secure deserialization of the project data. This version will still use a deprecated serialization technology, but will fix the currently known attack vector and will be compatible with existing, non-manipulated project files.

Option 1 is implemented in the following product versions:
fdtCONTAINER component: 3.6.20304.x - < 3.7
fdtCONTAINER application: 4.6.20304.x - < 4.7

Option 2
Update the fdtCONTAINER component / fdtCONTAINER application to a version that provides a secure deserialization of the project data with an updated serialization technology. This will break the compatibility to existing, non-manipulated project files.

Option 2 is implemented in the following product versions:
fdtCONTAINER component: >= 3.7
fdtCONTAINER application: >= 4.7

The fixed version of dtmINSPECTOR will also apply option 2, and will be available in Q1 2021.

Reported by

Reported by a customer of the fdtCONTAINER component.
Coordinated by CERT@VDE