Share: Email | Twitter

ID

VDE-2024-041

Published

2024-09-10 10:00 (CEST)

Last update

2024-09-10 09:56 (CEST)

Vendor(s)

Endress+Hauser AG

Product(s)

Article No° Product Name Affected Version(s)
Echo Curve Viewer <= 5.2.2.6
FieldCare SFE500 Package USB <= V1.40.00.7448
FieldCare SFE500 Package Web-Package <= V1.40.00.7448
Field Xpert SMT50 <= SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03
Field Xpert SMT70 <= SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01
Field Xpert SMT77 <= SMT77_Win10_SAC_22H2_v1.08.04_RC03_02
Field Xpert SMT79 <= V1.08.02-1.8.8684.34292

Summary

Echo Curve Viewer is an utility used for offline visualization of previously recorded envelope curve data. Envelope curve records are exported from other Endress+Hauser software products like FieldCare as .curves files.

Echo Curve Viewer opens .curves files and displays their contents. The .curves files contain device- specific C# calculation scripts as .cs files, that are needed for the interpretation of certain curve record types.

Echo Curve Viewer loads .curves files and executes the contained C# code. 


Last Update:

July 11, 2024, 12:08 p.m.

Weakness

Improper Control of Generation of Code ('Code Injection')  (CWE-94) 

Summary

An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. 


Impact

.curves files are not authenticated and universally trusted by the Echo Curve Viewer. Therefore, the contained C# code is executed without further authentication or validation.

Potential attack vector: manipulated .cs files with malicious C# code may be included in .curves file.

Solution

Remediation

  • For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version >=
    6.00.00 from the Endress+Hauser Software Portal
  • For bundled installations with FieldCare SFE500, download and install FieldCare SFE500 Package version
    >= 1.40.1 from the Endress+Hauser Software Portal
  • For Field Xpert Devices, the required update is installed automatically during startup. This requires a
    working internet connection and (under certain circumstances) a valid maintenance period and/or a
    connection to the E+H Netilion Cloud. Please refer to the Field Xpert documentation for details regarding
    the update mechanism.

Reported by

CERT@VDE coordinated with Endress+Hauser.

The vulnerability was reported by Julian Renz from Endress+Hauser.