PEPPERL+FUCHS: Vulnerability allowing code-excution in PACTware <= 5.0.5.31

VDE-2021-001 (2021-01-15 13:41 UTC+0100)

CVE Identifier

CVE-2020-12525

Affected Vendors

Pepperl+Fuchs

Affected Products

PACTware 5.0, Version <= 5.0.5.31

Vulnerability Type

Deserialization of untrusted data (CWE-502)

Summary

A critical vulnerability has been discovered in the fdtCONTAINER component by M&M Software GmbH used by PACTware.
While de-serializing PACTware 5 project files (loading PW5 files) the vulnerability can be exploited to execute arbitrary code.

Impact

An attacker might be able to exploit the vulnerability on the workstation running PACTware 5 by supplying/providing a manipulated project file. If that project file is loaded, malicious code can be executed without notice.

For more information see:

VDE-2020-048 : "WAGO/M&M Software: Deserialization of untrusted data in fdtContainer"

Solution

A fix for the issue will be provided with PACTware 6 in Q2 2021 which includes the proposed solution by M&M based on FDT Container component version >= 3.6.20304.x.

Mitigation

  1. Exchange project data only via secure exchange services
  2. Use appropriate means to protect the project storage from unauthorized
    manipulation
  3. Do not open project data from an unknown source
  4. Reduce the user rights of the host application to the necessary minimum

We recommend to always and only use project data from trusted sources transfered via trusted channels.

Reported by

M&M Software GmbH

Coordinated by CERT@VDE