PEPPERL+FUCHS: Vulnerability allowing code-excution in PACTware <= 5.0.5.31
VDE-2021-001 (2021-01-15 13:41 UTC+0100)
CVE Identifier
CVE-2020-12525Affected Vendors
Pepperl+Fuchs
Affected Products
PACTware 5.0, Version <= 5.0.5.31
Vulnerability Type
Deserialization of untrusted data (CWE-502)
Summary
A critical vulnerability has been discovered in the fdtCONTAINER component by M&M Software GmbH used by PACTware.
While de-serializing PACTware 5 project files (loading PW5 files) the vulnerability can be exploited to execute arbitrary code.
Impact
An attacker might be able to exploit the vulnerability on the workstation running PACTware 5 by supplying/providing a manipulated project file. If that project file is loaded, malicious code can be executed without notice.
For more information see:
VDE-2020-048 : "WAGO/M&M Software: Deserialization of untrusted data in fdtContainer"
Solution
A fix for the issue will be provided with PACTware 6 in Q2 2021 which includes the proposed solution by M&M based on FDT Container component version >= 3.6.20304.x.
Mitigation
- Exchange project data only via secure exchange services
- Use appropriate means to protect the project storage from unauthorized
manipulation - Do not open project data from an unknown source
- Reduce the user rights of the host application to the necessary minimum
We recommend to always and only use project data from trusted sources transfered via trusted channels.
Reported by
M&M Software GmbH
Coordinated by CERT@VDE