| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| Package IPC-Diagnostics-www | < 2.1.1.0 | |
| TwinCAT/BSD | < 14.1.2.0_153968 |
By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, the user can bypass input validation by entering specially crafted inputs into the user interface for certain pages, which then allows local commands to be executed with administrative privileges.
The IPC-Diagnostics package in TwinCAT/BSD is susceptible to improper input neutralization by a low-privileged local attacker.
A local, low privileged attacker could bypass input validation by entering specially crafted inputs into the user interface for certain pages, which then allows local commands to be executed with administrative privileges.
Mitigation
Avoid the existence of user accounts with login permission on the target other than administrator access. By default, TwinCAT/BSD has preconfigured user accounts with lower privileges, but none of them have a password, which results in them being denied login access. Avoid running third-party applications on the target that have not been properly audited, regardless of the user they are running as.
Remediation
Please update to a recent version of the affected product. In general, Beckhoff recommends updating the entire TwinCAT/BSD operating system to a current version rather than individual packages. Information on updating existing TwinCAT/BSD installations is available here
There you will also find information on how to determine the operating system version via the command line. This is also visible via the Beckhoff Device Manager UI.
Please note that when updating from the TwinCAT/BSD major version 12, two consecutive upgrades are required.
CERT@VDE coordinated with Beckhoff
Reported by Andrea Palanca of Nozomi Networks