VDE-2021-001 | CERT@VDE

2021-01-15 13:41 (CET) VDE-2021-001

Pepperl+Fuchs: Vulnerability allowing code-excution in PACTware <= 5.0.5.31

Share: Email | Twitter

ID

VDE-2021-001

Published

2021-01-15 13:41 (CET)

Last update

2021-01-15 13:41 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No°	Product Name	Affected Version(s)
	PACTware 5.0	<= 5.0.5.31

Summary

A critical vulnerability has been discovered in the fdtCONTAINER component by M&M Software GmbH used by PACTware.
While de-serializing PACTware 5 project files (loading PW5 files) the vulnerability can be exploited to execute arbitrary code.

CVE ID

CVE-2020-12525

Last Update:

March 16, 2021, 9:37 a.m.

Severity

7.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Weakness

Deserialization of untrusted data (CWE-502)

Details

nvd.nist.gov

Impact

An attacker might be able to exploit the vulnerability on the workstation running PACTware 5 by supplying/providing a manipulated project file. If that project file is loaded, malicious code can be executed without notice.

For more information see:

VDE-2020-048: M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer

Solution

Mitigation

Exchange project data only via secure exchange services
Use appropriate means to protect the project storage from unauthorized
manipulation
Do not open project data from an unknown source
Reduce the user rights of the host application to the necessary minimum

Remediation

A fix for the issue will be provided with PACTware 6 in Q2 2021 which includes the proposed solution by M&M based on FDT Container component version >= 3.6.20304.x.

Reported by

M&M Software GmbH

Coordinated by CERT@VDE