VDE-2021-002 | CERT@VDE

2021-01-20 14:32 (CET) VDE-2021-002

Weidmueller: WI Manager affected by fdtContainer vulnerability

Share: Email | Twitter

ID

VDE-2021-002

Published

2021-01-20 14:32 (CET)

Last update

2021-01-20 14:32 (CET)

Vendor(s)

Weidmueller Interface GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	WI Manager	<= 2.5.1

Summary

A vulnerability has been discovered in the fdtCONTAINER component and application by M&M Software GmbH.
As this software is part of the Weidmüller FDT/DTM Software with WI Manager, this Weidmueller software is affected by the above vulnerability as well.

The fdtCONTAINER component exchanges binary data blobs with the WI Manager. The WI Manager saves these binary data blobs into a project file.

If an attacker gets write access to the project file, the project file can be manipulated to contain malicious code.

CVE ID

CVE-2020-12525

Last Update:

March 16, 2021, 9:37 a.m.

Severity

7.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

Weakness

Deserialization of untrusted data (CWE-502)

Details

nvd.nist.gov

Impact

If a manipulated project file is loaded by the WI Manager, malicious code can get executed with the user rights of the WI Manager without notice.

For more information please refer to:

VDE-2020-048: M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer

Solution

Remediation

none yet

Mitigation

Exchange project data only via secure exchange services
Use appropriate means to protect the project storage from unauthorized manipulation
Do not open project data from an unknown source
Reduce the user rights of the WI Manager to the necessary minimum

Reported by

M&M Software GmbH

Coordinated by CERT@VDE