Share: Email | Twitter

ID

VDE-2021-001

Published

2021-01-15 13:41 (CET)

Last update

2021-01-15 13:41 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
PACTware 5.0 <= 5.0.5.31

Summary

A critical vulnerability has been discovered in the fdtCONTAINER component by M&M Software GmbH used by PACTware.
While de-serializing PACTware 5 project files (loading PW5 files) the vulnerability can be exploited to execute arbitrary code.


Last Update:

16. März 2021 09:37

Weakness

Deserialization of untrusted data  (CWE-502) 

Impact

An attacker might be able to exploit the vulnerability on the workstation running PACTware 5 by supplying/providing a manipulated project file. If that project file is loaded, malicious code can be executed without notice.

For more information see:

VDE-2020-048: M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer

Solution

Mitigation

  • Exchange project data only via secure exchange services
  • Use appropriate means to protect the project storage from unauthorized
    manipulation
  • Do not open project data from an unknown source
  • Reduce the user rights of the host application to the necessary minimum

Remediation

A fix for the issue will be provided with PACTware 6 in Q2 2021 which includes the proposed solution by M&M based on FDT Container component version >= 3.6.20304.x.

Reported by

M&M Software GmbH

Coordinated by CERT@VDE