| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| Echo Curve Viewer | <= 5.2.2.6 | |
| FieldCare SFE500 Package USB | <= V1.40.00.7448 | |
| FieldCare SFE500 Package Web-Package | <= V1.40.00.7448 | |
| Field Xpert SMT50 | <= SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03 | |
| Field Xpert SMT70 | <= SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01 | |
| Field Xpert SMT77 | <= SMT77_Win10_SAC_22H2_v1.08.04_RC03_02 | |
| Field Xpert SMT79 | <= V1.08.02-1.8.8684.34292 |
Echo Curve Viewer is an utility used for offline visualization of previously recorded envelope curve data. Envelope curve records are exported from other Endress+Hauser software products like FieldCare as .curves files.
Echo Curve Viewer opens .curves files and displays their contents. The .curves files contain device- specific C# calculation scripts as .cs files, that are needed for the interpretation of certain curve record types.
Echo Curve Viewer loads .curves files and executes the contained C# code.
An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context.
.curves files are not authenticated and universally trusted by the Echo Curve Viewer. Therefore, the contained C# code is executed without further authentication or validation.
Potential attack vector: manipulated .cs files with malicious C# code may be included in .curves file.
Remediation
CERT@VDE coordinated with Endress+Hauser.
The vulnerability was reported by Julian Renz from Endress+Hauser.