Beckhoff: Open redirect in TwinCAT/BSD package authelia-bhf

With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.

By default TwinCAT/BSD based products have Authelia installed and configured to perform the user authentication for web applications hosted on a target. This installation and configuration is provided with the package named 'authelia-bhf'. With the affected versions of the package Authelia is configured to accept user-controlled input via URL parameter that specifies a link which can then be a link to an arbitrary external site.

Please note: The sources for the package 'authelia-bhf' are a fork from the original Open Source Software called 'Authelia'. The vulnerability was exclusively introduced with that fork and has been removed there. It never became part of 'Authelia'.

Use firewall or web-proxy technology at your network perimeter which allow internal clients to access only trusted external sites directly.

Please update to a recent version of the affected product.

Beckhoff Automation GmbH & Co. KG thanks the following parties for their efforts:

• CERTVDE for coordination (see https://certvde.com )
• Benedikt Kühne from Siemens Energy for reporting (see https://www.siemens-energy.com )