CERT@VDE Advisory Feedhttps://cert.vde.com/en/advisories/2024-03-13T08:31:09+00:00Feed for CERT@VDE AdvisoriesWago: Multiple vulnerabilities in web-based management of multiple products2024-03-13T08:30:00+00:002024-03-13T08:31:09+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-039/<h4>VDE-2023-039</h4>
<h4>Vendor(s)</h4>WAGO GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>750-831/xxx-xxx</td><td>Controller BACnet/IP</td><td> <= FW13</td></tr><tr><td>750-829</td><td>Controller BACnet MS/TP</td><td> <= FW13</td></tr><tr><td>750-852</td><td>Ethernet Controller 3rd Generation</td><td> <= FW13</td></tr><tr><td>750-88x/xxx-xxx</td><td>Ethernet Controller 3rd Generation</td><td> <= FW13</td></tr><tr><td>750-352/xxx-xxx</td><td>Fieldbus Coupler Ethernet 3rd Generation</td><td> <= FW13</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2015-10123: 7.5 (CVSS:3.1)<br>⠀CVE-2018-25090: 6.1 (CVSS:3.1)<br><h4>Summary</h4><p>The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning, and updates.</p>
<p>The option to change the configuration data via tools or the web-based-management enabled attackers to prepare cross-site-scripting attacks and under specific circumstances perform remote code execution.</p><h4>Impact</h4><p>The web-based management of affected products is vulnerable to Reflective Cross-Site Scripting. This can be used to install malicious code and to gain access to confidential information on a System that connects to the WBM after it has been compromised.</p>
<p>Additionally, the affected products contain a buffer overflow vulnerability which enables attackers to remotely execute code, which could lead to compromise of data and execution of malicious code.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>If not needed, you can deactivate the web-based management to prevent attacks (command line). Disable<br>unused TCP/UDP-ports. Restrict network access to the device. Do not directly connect the device to the<br>internet.</p>
<p></p>
<p><b>Remediation</b></p>
<p>A fix for the affected firmwares will be provided with the following firmware versions:</p>
<ul>
<li>> FW13 installed on <span>750-352/xxx-xxx</span></li>
<li>> FW13 installed on 750-88x/xxx-xxx</li>
<li>> FW13 installed on 750-852</li>
</ul>
<p>No fix planned for products:</p>
<ul>
<li><= FW13 installed on 750-831/xxx-xxx</li>
<li><= FW13 installed on 750-829</li>
</ul><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-039/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-039/</a>
PHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers2024-03-12T07:00:00+00:002024-03-12T08:03:23+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-011/<h4>VDE-2024-011</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1139022</td><td>CHARX SEC-3000</td><td> <= 1.5.0</td></tr><tr><td>1139018</td><td>CHARX SEC-3050</td><td> <= 1.5.0</td></tr><tr><td>1139012</td><td>CHARX SEC-3100</td><td> <= 1.5.0</td></tr><tr><td>1138965</td><td>CHARX SEC-3150</td><td> <= 1.5.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2024-25994: 5.3 (CVSS:3.1)<br>⠀CVE-2024-25995: 9.8 (CVSS:3.1)<br>⠀CVE-2024-25996: 5.3 (CVSS:3.1)<br>⠀CVE-2024-25997: 5.3 (CVSS:3.1)<br>⠀CVE-2024-25998: 7.3 (CVSS:3.1)<br>⠀CVE-2024-25999: 8.4 (CVSS:3.1)<br>⠀CVE-2024-26000: 5.9 (CVSS:3.1)<br>⠀CVE-2024-26001: 7.4 (CVSS:3.1)<br>⠀CVE-2024-26002: 7.8 (CVSS:3.1)<br>⠀CVE-2024-26003: 7.5 (CVSS:3.1)<br>⠀CVE-2024-26004: 7.5 (CVSS:3.1)<br>⠀CVE-2024-26005: 4.8 (CVSS:3.1)<br>⠀CVE-2024-26288: 8.7 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 1">
<div class="layoutArea">
<div class="column">
<p>Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers. These vulnerabilities were discovered as part of a PWN2OWN competition initiated by Trend Micro Zero Day Initiative (ZDI).</p>
</div>
</div>
<div class="layoutArea"></div>
</div><h4>Impact</h4><p>CVE-2024-25994, CVE-2024-25996,<span>CVE-2024-25997</span>,<span>CVE-2024-26000</span><br>These vulnerabilities can be exploited by a malicious attacker without local account to gain root privileges, which allows him to take over the device.</p>
<p><br><span>CVE-2024-26003</span><br>This vulnerability can be used by a malicious attacker without local account to perform remote code execution with the privileges of the ControllerAgent service.</p>
<p><br>Some of the Vulnerabilities represent a medium risk on their own, nevertheless chaining or combining these vulnerabilities can trigger an RCE that leads to the complete compromise of the device.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Phoenix Contact strongly recommends updating to firmware version v1.5.1 or higher, which fixes these vulnerabilities.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-011/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-011/</a>
Wiesemann & Theis: Multiple products prone to unquoted search path (Update A)2024-02-28T07:00:00+00:002024-03-07T08:50:44+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-018/<h4>VDE-2024-018</h4>
<h4>Vendor(s)</h4>Wiesemann & Theis GmbH<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>00102</td><td>Com Redirector Legacy</td><td> <= 3.93</td></tr><tr><td>00111</td><td>Com Redirector PnP</td><td> <= 4.42</td></tr><tr><td>00103</td><td>OPC-Server</td><td> <= 4.88</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2024-25552: 7.8 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple Wiesemann & Theis software products are affected by a vulnerability through an unquoted search path in the Windows registry. A local attacker can execute arbitrary code and gain administrative privileges by inserting an executable file in the path of the affected product.</p>
<p></p>
<p><strong>Update A, 07.03.2024</strong></p>
<p>Incorrect version numbers have been corrected.</p><h4>Impact</h4><p>A local attacker can execute arbitrary code through the affected products and gain administrative privileges by inserting an executable file in a specific path.</p><h4>Solution</h4><p><b>Remediation</b></p>
<p>Update <a href="https://www.wut.de/e-00102-11-inde-000.php">Com Redirector Legacy</a> to version 3.94 or higher (Art.No. 00102)<br>Update <a href="https://www.wut.de/e-00111-11-inde-000.php">Com Redirector PnP</a> to version 4.43 or higher (Art.No. 00111)<br>Update <a href="https://www.wut.de/e-5wwww-10-inde-000.php">OPC-Server</a> to version 4.89 or higher (Art.No. 00103)</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-018/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-018/</a>
Festo: Multiple vulnerabilities affect MES PC shipped with Windows 102024-02-27T07:00:00+00:002024-02-22T07:49:09+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-065/<h4>VDE-2023-065</h4>
<h4>Vendor(s)</h4>Festo Didactic SE<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MES PC</td><td> Windows 10</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2016-3078: 9.8 (CVSS:3.1)<br>⠀CVE-2018-12882: 9.8 (CVSS:3.0)<br>⠀CVE-2019-9020: 9.8 (CVSS:3.0)<br>⠀CVE-2019-9021: 9.8 (CVSS:3.0)<br>⠀CVE-2019-9023: 9.8 (CVSS:3.0)<br>⠀CVE-2019-9025: 9.8 (CVSS:3.0)<br>⠀CVE-2019-9641: 9.8 (CVSS:3.1)<br>⠀CVE-2019-11034: 9.1 (CVSS:3.1)<br>⠀CVE-2019-11035: 9.1 (CVSS:3.1)<br>⠀CVE-2019-11036: 9.1 (CVSS:3.1)<br>⠀CVE-2019-11039: 9.1 (CVSS:3.1)<br>⠀CVE-2019-11040: 9.1 (CVSS:3.1)<br>⠀CVE-2019-11043: 9.8 (CVSS:3.1)<br>⠀CVE-2019-11049: 9.8 (CVSS:3.1)<br>⠀CVE-2020-7059: 9.1 (CVSS:3.1)<br>⠀CVE-2020-7060: 9.1 (CVSS:3.1)<br>⠀CVE-2020-7061: 9.1 (CVSS:3.1)<br>⠀CVE-2021-21708: 9.8 (CVSS:3.1)<br>⠀CVE-2022-36760: 9.0 (CVSS:3.1)<br>⠀CVE-2023-25690: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications.</p>
<p><br>MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.</p>
<p><br>The vulnerabilities covered by this advisory have a broad range of impacts ranging from denial-ofservice to disclosure or manipulation/deletion of information. Given the intended usage of MES PCs for didactic purposes in controlled lab environments, separate from productive systems, it never comes into contact with sensitive information. Therefore the impact is reduced to limited availability of the system.</p>
<p></p>
<p></p>
<p>Overall, the product is affected by the following CVEs:</p>
<p>CVEs: CVE-2006-20001, CVE-2013-6501, CVE-2014-9705, CVE-2014-9709, CVE-2015-2301, CVE-2015-2348, CVE-2015-2787, CVE-2016-3078, CVE-2016-5385, CVE-2018-12882, CVE-2018-14851, CVE-2018-14883, CVE-2018-17082, CVE-2018-19518, CVE-2018-19935, CVE-2019-9020, CVE-2019-9021, CVE-2019-9022, CVE-2019-9023, CVE-2019-9024, CVE-2019-9025, CVE-2019-9637, CVE-2019-9638, CVE-2019-9639, CVE-2019-9640, CVE-2019-9641, CVE-2019-11034, CVE-2019-11035, CVE-2019-11036, CVE-2019-11039, CVE-2019-11040, CVE-2019-11041, CVE-2019-11042, CVE-2019-11043, CVE-2019-11044, CVE-2019-11045, CVE-2019-11046, CVE-2019-11047, CVE-2019-11048, CVE-2019-11049, CVE-2019-11050, CVE-2020-2752, CVE-2020-2760, CVE-2020-2780, CVE-2020-2812, CVE-2020-2814, CVE-2020-2922, CVE-2020-7059, CVE-2020-7060, CVE-2020-7061, CVE-2020-7062, CVE-2020-7063, CVE-2020-7064, CVE-2020-7065, CVE-2020-7066, CVE-2020-7068, CVE-2020-7069, CVE-2020-7070, CVE-2020-7071, CVE-2021-2007, CVE-2021-2011, CVE-2021-2022, CVE-2021-2032, CVE-2021-2144, CVE-2021-2154, CVE-2021-2166, CVE-2021-2174, CVE-2021-2180, CVE-2021-2194, CVE-2021-2372, CVE-2021-2389, CVE-2021-21702, CVE-2021-21703, CVE-2021-21704, CVE-2021-21705, CVE-2021-21706, CVE-2021-21707, CVE-2021-21708, CVE-2021-27928, CVE-2021-35604, CVE-2021-46661, CVE-2021-46662, CVE-2021-46663, CVE-2021-46664, CVE-2021-46665, CVE-2021-46666, CVE-2021-46667, CVE-2021-46668, CVE-2021-46669, CVE-2022-4900, CVE-2022-21595, CVE-2022-23807, CVE-2022-23808, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27385, CVE-2022-27386, CVE-2022-27387, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, CVE-2022-27458, CVE-2022-31625, CVE-2022-31626, CVE-2022-31628, CVE-2022-31629, CVE-2022-32081, CVE-2022-32082, CVE-2022-32083, CVE-2022-32084, CVE-2022-32085, CVE-2022-32086, CVE-2022-32087, CVE-2022-32088, CVE-2022-32089, CVE-2022-32091, CVE-2022-36760, CVE-2022-37436, CVE-2023-0567, CVE-2023-0568, CVE-2023-0662, CVE-2023-25690, CVE-2023-25727, CVE-2023-27522</p>
<p>The vulnerabilities with a critical severity are listed below.</p><h4>Impact</h4><p>Please check the references in the CVEs.</p><h4>Solution</h4><p><b>General recommendations</b></p>
<p>Festo Didactic offers products with security functions that aid the safe operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks from cyber threats, a comprehensive security concept must be implemented and continuously updated. Festo's products and services only constitute one part of such a concept. </p>
<p>The customer is responsible for preventing unauthorized access to their plants, systems, machines and networks. Systems, machines and components should only be connected to a company's network or the Internet if and as necessary, and only when the suitable security measures (e.g., firewalls and network segmentation, defense-in-depth) are in place. Failure to ensure adequate security measures when connecting the product to the network can result in vulnerabilities which allow unauthorized, remote access to the network — even beyond the product boundaries. This access could be abused to incur a loss of data or manipulate or sabotage systems.</p>
<p>Typical forms of attack include but are not limited to: Denial-of-Service (rendering the system temporarily nonfunctional), remote execution of malicious code, privilege escalation (executing malicious code with higher system privileges than expected), ransomware (encryption of data and demanding payment for decryption). In the context of industrial systems and machines this can also lead to unsafe states, posing a danger to people and equipment.</p>
<p>Furthermore, Festo's guidelines on suitable security measures should be observed. Festo products and solutions are constantly being developed further in order to make them more secure. Festo strongly recommends that customers install product updates as soon as they become available and always use the latest versions of its products. Any use of product versions that are no longer supported or any failure to install the latest updates may render the customer vulnerable to cyberattacks.</p>
<p><b>Remediation</b><br><b></b></p>
<p>For all CVEs:<br>Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-065/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-065/</a>
WAGO: Multiple products affected by Terrapin2024-02-22T07:00:00+00:002024-02-19T08:08:12+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-014/<h4>VDE-2024-014</h4>
<h4>Vendor(s)</h4>WAGO GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>750-810x</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>750-811x</td><td> < FW 27</td></tr><tr><td></td><td>750-820x</td><td> < 03.03.08 (80)</td></tr><tr><td></td><td>750-820x</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>750-821x</td><td> < FW 27</td></tr><tr><td></td><td>750-821x</td><td> < 04.03.03 (70)</td></tr><tr><td></td><td>750-821x</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>751-9301</td><td> < FW 27</td></tr><tr><td></td><td>751-9301</td><td> < 04.03.03 (72)</td></tr><tr><td></td><td>751-9401</td><td> < FW 27</td></tr><tr><td></td><td>751-9401</td><td> < 04.03.03 (72)</td></tr><tr><td></td><td>752-8303</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>752-8303</td><td> < FW 27</td></tr><tr><td></td><td>762-4x0x</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>762-4x0x</td><td> < FW 27</td></tr><tr><td></td><td>762-5x0x</td><td> < FW 27</td></tr><tr><td></td><td>762-5x0x</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>762-6x0x</td><td> < FW 22, Patch 2</td></tr><tr><td></td><td>762-6x0x</td><td> < FW 27</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-48795: 5.9 (CVSS:3.1)<br><h4>Summary</h4><h4>Impact</h4><p>The Terrapin attack vulnerability in the SSH transport protocol poses a risk by allowing remote attackers to compromise the integrity of connections, potentially leading to the downgrade or disablement of critical security features.</p><h4>Solution</h4><p><b>Remediation</b><br><b></b></p>
<p>A fix for the affected Firmwares will be provided with the following firmware versions:</p>
<ul>
<li>>= FW 22, Patch 2 installed on 750-810x</li>
<li>>= FW 22, Patch 2 installed on 750-821x</li>
<li>>= FW 22, Patch 2 installed on 762-4x0x</li>
<li>>= FW 22, Patch 2 installed on 762-5x0x</li>
<li>>= FW 22, Patch 2 installed on 762-6x0x</li>
<li>>= FW 22, Patch 2 installed on 752-8303</li>
<li>>= FW 27 installed on 750-811x</li>
<li>>= FW 27 installed on 750-821x</li>
<li>>= FW 27 installed on 751-9301</li>
<li>>= FW 27 installed on 751-9401</li>
<li>>= FW 27 installed on 762-4x0x</li>
<li>>= FW 27 installed on 762-5x0x</li>
<li>>= FW 27 installed on 762-6x0x</li>
<li>>= FW 27 installed on 752-8303</li>
<li>>= Custom Firmware 03.03.08 (80) installed on 750-820x</li>
<li>>= Custom Firmware 04.03.03 (72) installed on 751-9301</li>
<li>>= Custom Firmware 04.03.03 (72) installed on 751-9401</li>
<li>>= Custom Firmware 04.04.03 (70) installed on 750-821x</li>
</ul><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-014/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-014/</a>
ADS-TEC Industrial IT: Docker vulnerability affects multiple products2024-02-19T07:00:00+00:002024-02-08T13:25:14+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-016/<h4>VDE-2024-016</h4>
<h4>Vendor(s)</h4>ads-tec Industrial IT GmbH<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>DVG-IRF1401, DVG-IRF1421</td><td>IRF1000</td><td> <= 1.6.9</td></tr><tr><td>DVG-IRF3401, DVG-IRF3421, DVG-IRF3801. DVG-IRF3821</td><td>IRF3000</td><td> <= 1.3.9</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2024-21626: 8.6 (CVSS:3.1)<br><h4>Summary</h4><p>The affected products and versions present a vulnerability due to a vulnerable integrated software component the docker runc <= 1.1.11. In the worst-case scenario, the integrated Docker container environment could be compromised, potentially enabling the execution of arbitrary code within the Docker environment or neighboring Docker containers if dockerfiles or Docker images from untrusted sources are utilized.</p>
<p>It's crucial to emphasize that while the Docker environment is vulnerable, the host operating system remains<br>unharmed due to its isolation from the Docker environment within the ads-tec products.</p>
<p>Using Docker images or Dockerfiles from untrusted sources poses a risk. This advice is especially pertinent for Docker use in productive operational technology (OT) environments, and it's our expectation that our customers adhere strictly to this guidance anyway.</p>
<p></p><h4>Impact</h4><p>In ads-tec products, Docker is integrated using a rootless mode, altering the impact of vulnerabilities. A potential attacker's ability to compromise the Docker environment is confined to the Docker user level and the writable, isolated ("chrooted") filesystem environment. As a result, while the attacker may affect all Docker containers on the system and potentially cause a denial of service (DoS) on the main operating system, they cannot directly compromise the main operating system's integrity.</p>
<p></p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Follow the suggestions of the Docker project:<br>If you are unable to update to an unaffected version promptly after it is released, follow these best practices to mitigate risk:</p>
<ul>
<li>Only use trusted Docker images</li>
<li>Don’t build Docker images from untrusted sources or untrusted Dockerfiles.</li>
</ul>
<p>For users who wish to ensure their device remains secure and there is an indication that the device may have<br>been compromised, we recommend updating the device firmware and reinstalling all Docker images. The update process for the device will clear and reset the writable parts of the chroot filesystem environment, ensuring no remnants are left behind. This precautionary measure is advised only if there's evidence suggesting that the docker environment on the device might be compromised.</p>
<p><b>Remediation</b></p>
<p>The issue is resolved with IRF1000 version 1.6.10 and IRF3000 version 1.3.10</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-016/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-016/</a>
HIMA: Multiple products affected by DoS and Port-Based-VLAN Crossing2024-02-13T07:00:00+00:002024-02-12T08:27:13+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-013/<h4>VDE-2024-013</h4>
<h4>Vendor(s)</h4>HIMA Paul Hildebrandt GmbH<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>F30 03X YY (COM) all variants</td><td> <= 24.14</td></tr><tr><td></td><td>F30 03X YY (CPU) all variants</td><td> <= 18.6</td></tr><tr><td></td><td>F35 03X YY (COM) all variants</td><td> <= 24.14</td></tr><tr><td></td><td>F35 03X YY (CPU) all variants</td><td> <= 18.6</td></tr><tr><td></td><td>F60 CPU 03X YY (COM) all variants</td><td> <= 24.14</td></tr><tr><td></td><td>F60 CPU 03X YY (CPU) all variants</td><td> <= 18.6</td></tr><tr><td>984867200</td><td>F-COM 01</td><td> <= 14.12</td></tr><tr><td>984867202</td><td>F-COM 01 coated</td><td> <= 14.12</td></tr><tr><td>984866100</td><td>F-CPU 01</td><td> <= 14.6</td></tr><tr><td>984866102</td><td>F-CPU 01 coated</td><td> <= 14.6</td></tr><tr><td></td><td>X-COM 01 E YY all variants</td><td> <= 15.14</td></tr><tr><td></td><td>X-COM 01 YY all variants</td><td> <= 14.12</td></tr><tr><td>985210211</td><td>X-CPU 01</td><td> <= 14.6</td></tr><tr><td>985210246</td><td>X-CPU 31</td><td> <= 14.6</td></tr><tr><td>985210207</td><td>X-SB 01</td><td> <= 7.54</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2024-24781: 7.5 (CVSS:3.1)<br>⠀CVE-2024-24782: 4.3 (CVSS:3.1)<br><h4>Summary</h4><p>CVE-2024-24781: If the above mentioned products are loaded with Wire speed (1Gbit/s or 100Mbit/s) the resources of the Ethernet-Controller are exhausted and it must be reset by the system automatically after load disappears. This leads to an interruption (DoS) of all other communications of the affected Ethernet-Controller.</p>
<p>CVE-2024-24782: Most of the above mentioned products offer a VLAN feature. This helps to segregate ports of the switch included in each of the products. VLAN are meant to segregate networks. Furthermore a MAC-learning mode called “conservative” is provided. In this mode the ARP table is updated earliest within 1..2 times ARP aging time.</p>
<p>X-SB 01 (985210207) is not affected by this CVE.</p>
<p></p>
<p><br><br></p><h4>Impact</h4><p>Please consult the above CVEs.<br><span></span></p>
<p></p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>CVE-2024-24781: All load limiting measures are helpful (e.g. in external devices or also in the switch of the above mentioned products). Please check whether the reduced speed is still sufficient for the desired application. Protect the network with segregation measures and restrict the access of unauthorized network participants (e.g. close unused ports)</p>
<p>CVE-2024-24782: Switching the MAC-learning from “conservative” to “tolerant” mitigates the above described vulnerability but leads to potential IP-Spoofing and ARP-Poisoning and should therefore be avoided. HIMax and HIQuad X systems can be setup in the way that real physical segregation (between different modules) is used. E.g. it is impossible to ping from one X-COM to another X-COM in the same Rack. HIMatrix should be used in that way that CPU and COM are NOT connected via VLAN e.g. CPU connected to Port 1 and 2, COM Connected to Port 3 and 4.</p>
<p></p>
<p></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-013/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-013/</a>
Pilz: Multiple products affected by uC/HTTP vulnerability2024-02-06T07:00:00+00:002024-01-30T10:18:54+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-002/<h4>VDE-2024-002</h4>
<h4>Vendor(s)</h4>Pilz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>G1000021</td><td>PIT gb RLLE y down ETH</td><td> < 02.02.00</td></tr><tr><td>G1000020</td><td>PIT gb RLLE y up ETH</td><td> < 02.02.00</td></tr><tr><td>402255</td><td>PITreader base unit (HR 01)</td><td> < 01.05.04</td></tr><tr><td>402255</td><td>PITreader base unit (HR 02)</td><td> < 02.02.00</td></tr><tr><td>402320</td><td>PITreader card unit</td><td> < 02.02.00</td></tr><tr><td>402256</td><td>PITreader S base unit</td><td> < 02.02.00</td></tr><tr><td>402321</td><td>PITreader S card unit</td><td> < 02.02.00</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-24585: 9.8 (CVSS:3.1)<br>⠀CVE-2023-25181: 9.8 (CVSS:3.1)<br>⠀CVE-2023-27882: 9.8 (CVSS:3.1)<br>⠀CVE-2023-28391: 9.8 (CVSS:3.1)<br>⠀CVE-2023-28379: 9.8 (CVSS:3.1)<br>⠀CVE-2023-31247: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>The PITreader product family is using the 3rd -party-component uC/HTTP to implement the web server functionality. uC/HTTP is affected by multiple vulnerabilities. These vulnerabilities may enable an attacker to gain full control over the system.</p><h4>Impact</h4><p>An unauthenticated attacker can exploit the vulnerabilities by sending specially crafted HTTP packets to the system. Depending on the vulnerability, memory content can be overwritten or corrupted. In a worst-case scenario this can be used by the attacker to execute arbitrary code on the system to gain full control over it.</p><h4>Solution</h4><p>Product-specific Countermeasures:</p>
<ul>
<li>Install the fixed firmware version. Please visit the Pilz Website to download the latest firmware update. Instructions about installing the firmware update can be found in the user manual.</li>
<li>Limit network access to legitimate connections by using a firewall or similar measures.</li>
</ul><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-002/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-002/</a>
Festo: Multiple products contain CoDe16 vulnerability2024-01-30T07:00:00+00:002024-01-25T11:05:07+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-063/<h4>VDE-2023-063</h4>
<h4>Vendor(s)</h4>Festo SE & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>3473128</td><td>Control block CPX-CEC-C1-V3 (HW <= 8)</td><td> <= 4.0.4</td></tr><tr><td>3472765</td><td>Control block CPX-CEC-M1-V3 (HW <= 8)</td><td> <= 4.0.4</td></tr><tr><td>3472425</td><td>Control block CPX-CEC-S1-V3 (HW <= 8)</td><td> <= 4.0.4</td></tr><tr><td>4252742</td><td>Control block CPX-E-CEC-C1-EP (HW < 8)</td><td> 2.2.14</td></tr><tr><td>4252742</td><td>Control block CPX-E-CEC-C1-EP (HW >= 8)</td><td> 3.2.10</td></tr><tr><td>5226780</td><td>Control block CPX-E-CEC-C1 (HW <= 5)</td><td> <= 10.1.4</td></tr><tr><td>4252741</td><td>Control block CPX-E-CEC-C1-PN (HW < 8)</td><td> 2.2.14</td></tr><tr><td>4252741</td><td>Control block CPX-E-CEC-C1-PN (HW >= 8)</td><td> 3.2.10</td></tr><tr><td>4252744</td><td>Control block CPX-E-CEC-M1-EP (HW < 8)</td><td> 2.2.14</td></tr><tr><td>4252744</td><td>Control block CPX-E-CEC-M1-EP (HW >= 8)</td><td> 3.2.10</td></tr><tr><td>5266781</td><td>Control block CPX-E-CEC-M1 (HW <= 5)</td><td> <= 10.1.4</td></tr><tr><td>4252743</td><td>Control block CPX-E-CEC-M1-PN (HW < 8)</td><td> 2.2.14</td></tr><tr><td>4252743</td><td>Control block CPX-E-CEC-M1-PN (HW >= 8)</td><td> 3.2.10</td></tr><tr><td>8072995</td><td>Controller CECC-D-BA (HW <=7)</td><td> <= 2.4.2</td></tr><tr><td>2463301</td><td>Controller CECC-D-CS (HW <=7)</td><td> <= 2.4.2</td></tr><tr><td>574415</td><td>Controller CECC-D (HW <= 7)</td><td> <= 2.4.2</td></tr><tr><td>574418</td><td>Controller CECC-LK (HW <= 7)</td><td> <= 2.4.2</td></tr><tr><td>574416</td><td>Controller CECC-S (HW <= 7)</td><td> <= 2.4.2</td></tr><tr><td>4407603</td><td>Controller CECC-X-M1 (Gen3)</td><td> <= 3.8.18</td></tr><tr><td>8124922</td><td>Controller CECC-X-M1 (Gen4)</td><td> <= 4.0.18</td></tr><tr><td>4407605</td><td>Controller CECC-X-M1-MV (Gen3)</td><td> <= 3.8.18</td></tr><tr><td>8124923</td><td>Controller CECC-X-M1-MV (Gen4)</td><td> <= 4.0.18</td></tr><tr><td>4407606</td><td>Controller CECC-X-M1-MV-S1 (Gen3)</td><td> <= 3.8.18</td></tr><tr><td>8124924</td><td>Controller CECC-X-M1-MV-S1 (Gen4)</td><td> <= 4.0.18</td></tr><tr><td>574412</td><td>Operator unit CDPX-X-A-S-10</td><td> <= 3.5.7.159</td></tr><tr><td>574413</td><td>Operator unit CDPX-X-A-W-13</td><td> <= 3.5.7.159</td></tr><tr><td>574410</td><td>Operator unit CDPX-X-A-W-4</td><td> <= 3.5.7.159</td></tr><tr><td>574411</td><td>Operator unit CDPX-X-A-W-7</td><td> <= 3.5.7.159</td></tr><tr><td>8155217</td><td>Operator unit CDPX-X-E1-W-10</td><td> <= 3.5.7.159</td></tr><tr><td>8155218</td><td>Operator unit CDPX-X-E1-W-15</td><td> <= 3.5.7.159</td></tr><tr><td>8155216</td><td>Operator unit CDPX-X-E1-W-7</td><td> <= 3.5.7.159</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-47378: 6.5 (CVSS:3.1)<br>⠀CVE-2022-47379: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47380: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47381: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47382: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47383: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47384: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47385: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47386: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47387: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47388: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47389: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47390: 8.8 (CVSS:3.1)<br>⠀CVE-2022-47392: 6.5 (CVSS:3.1)<br>⠀CVE-2022-47393: 6.5 (CVSS:3.1)<br>⠀CVE-2022-47391: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Several high severity vulnerabilities in CODESYS V3 affecting Festo products could lead to Remote Code Execution or Denial of Service.</p><h4>Impact</h4><p>Please check the references in the CVEs.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:</p>
<ul>
<li>Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside</li>
<li>Use firewalls to protect and separate the control system network from other networks</li>
<li>Use VPN (Virtual Private Networks) tunnels if remote access is required</li>
<li>Activate and apply user management and password features</li>
<li>Use encrypted communication links</li>
<li>Limit the access to both development and control system by physical means, operating system features, etc.</li>
<li>Protect both development and control system by using up to date virus detecting solutions</li>
</ul>
<p></p>
<p>Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.<br>For a secure operation follow the recommendations in the product manuals.</p>
<p><b>Remediation</b></p>
<p>For all vulnerability identifiers except CECC-D, <span>CECC-D-CS, CECC-D-BA</span>, CECC-S, CECC-X Gen3 and CECC-LK: Update planned end of Q3 2024.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-063/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-063/</a>
Pilz: Vulnerability in PASvisu and PMI v8xx2024-01-30T07:00:00+00:002024-02-27T13:59:44+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-050/<h4>VDE-2023-050</h4>
<h4>Vendor(s)</h4>Pilz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>PASvisu</td><td> < 1.14.1</td></tr><tr><td>266807, 266812, 266815</td><td>PMI v8xx</td><td> <= 2.0.33992</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-45795: 7.8 (CVSS:3.1)<br>⠀CVE-2023-45796: 8.1 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The<br>vulnerabilities may enable an attacker to gain full control over the system.</p>
<p>Update: 27.02.2024 Fix typo in advisory title</p><h4>Impact</h4><p>The vulnerabilities allow an attacker to inject malicious Javascript code into the system. With PASvisu<br>Builder in a worst-case scenario this can lead to execution of arbitrary code using the privileges of the<br>user running the affected software. With PASvisu Runtime (including PMI v8xx) in a worst-case<br>scenario this could have an impact on the controlled automation application.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p><span>•<span> </span></span>Only use project files from trustworthy sources.<br>• Protect project files against modification by unauthorized users.<br>• PASvisu Runtime: Limit network access to legitimate connections by using a firewall or similar<br>measures. Use password protection on the online project.</p>
<p><b>Remediation</b></p>
<p>• Install the fixed product version as soon as it is available. Please visit the Pilz eShop<br>(<a href="https://www.pilz.com/en-INT/eshop" target="_blank">https://www.pilz.com/en-INT/eshop</a>) to check for the fixed version</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-050/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-050/</a>
TRUMPF: Multiple products contain WIBU CodeMeter vulnerabilities2024-01-29T07:00:00+00:002024-02-08T10:31:37+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-001/<h4>VDE-2024-001</h4>
<h4>Vendor(s)</h4>TRUMPF SE<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MonitoringAnalyzer</td><td>V1.0 <= V1.3</td></tr><tr><td></td><td>Oseon</td><td>V1.0.0 <= V3.0.24</td></tr><tr><td></td><td>ProgrammingTube</td><td>V1.0.1 <= V4.11.0</td></tr><tr><td></td><td>TecZoneBend</td><td>V18.02.R8 <= V23.11</td></tr><tr><td></td><td>Tops Unfold</td><td> V05.03.00.00</td></tr><tr><td></td><td>TrumpfLicenseExpert</td><td>V1.5.2 <= V2.0.0</td></tr><tr><td></td><td>TruTops</td><td>V08.00 <= V12.01.00.00</td></tr><tr><td></td><td>TruTopsBoost</td><td>V06.00.23.00 <= V16.0.24</td></tr><tr><td></td><td>TruTopsCalculate</td><td>V14.00 <= V23.00.00</td></tr><tr><td></td><td>TruTops Cell Classic</td><td> <= V09.09.02</td></tr><tr><td></td><td>TruTops Cell SW48</td><td>V01.00 <= V02.32.12</td></tr><tr><td></td><td>TruTopsFab (inkl.TruTops Monitor)</td><td>V15.00.23.00 <= V22.8.25</td></tr><tr><td></td><td>TruTopsFab Storage SmallStore</td><td>V14.06.20 <= V20.04.20.00</td></tr><tr><td></td><td>TruTops Mark 3D</td><td>V01.00 <= V06.2</td></tr><tr><td></td><td>TruTopsPrint</td><td>V00.06.00 <= V01.00</td></tr><tr><td></td><td>TruTopsPrintMultilaserAssistant</td><td> <= V01.02</td></tr><tr><td></td><td>TruTopsWeld</td><td>V7.0.198.241 <= V9.0.28148.1</td></tr><tr><td></td><td>TubeDesign</td><td>V08.00 <= V14.11.199</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-38545: 9.8 (CVSS:3.1)<br>⠀CVE-2023-24540: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60d) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes these vulnerabilities is available.</p><h4>Impact</h4><p>CVE-2023-24540: According to WIBU, there are no attack vectors for this vulnerability known, so it is said to be not exploitable at present.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>CVE-2023-38545 only appears when used together with a SOCKS-5 Proxy. Not using the<br>affected products via a SOCKS-5 proxy mitigates the vulnerability.</p>
<p><b>Remediation</b></p>
<p>Get the latest version of the TRUMPF License Expert software (>= V2.1.0) <a href="https://www.trumpf.com/de_DE/produkte/software/software-lizenzierung/">here</a> and install it on<br>all affected servers and workstations.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-001/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-001/</a>
TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x2024-01-23T07:00:00+00:002024-01-22T14:32:20+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-006/<h4>VDE-2024-006</h4>
<h4>Vendor(s)</h4>TRUMPF Werkzeugmaschinen SE + Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Oseon</td><td><= V3.2 </td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2021-3711: 9.8 (CVSS:3.1)<br>⠀CVE-2022-2097: 5.3 (CVSS:3.1)<br>⠀CVE-2021-23840: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple vulnerabilities in the included versions of OpenSSL can lead to different problems, including crashes of the OpenSSL modules (leading to a Denial of Service) or leakage of plaintext. These underlying vulnerabilities can be fixed by installing a software update provided by TRUMPF.</p><h4>Impact</h4><p>The TRUMPF products enumerated above include a vulnerable version of OpenSSL 1.1.x which can be exploited to crash the application or to attack some encryption modes, revealing plain text. This can impact confidentiality, integrity and availability of information on the affected system.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Please contact your TRUMPF Service with the PR number 500876.</p>
<p></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-006/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-006/</a>
TRUMPF: Multiple products include a vulnerable version of Notepad++2024-01-23T07:00:00+00:002024-01-22T14:32:49+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-003/<h4>VDE-2024-003</h4>
<h4>Vendor(s)</h4>TRUMPF Werkzeugmaschinen SE + Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Oseon</td><td><= V3.0.24 </td></tr><tr><td></td><td>TruTops Fab (Storage)</td><td><= V22.7 </td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-40031: 7.8 (CVSS:3.1)<br>⠀CVE-2023-40036: 5.5 (CVSS:3.1)<br>⠀CVE-2023-40164: 5.5 (CVSS:3.1)<br>⠀CVE-2023-40166: 5.5 (CVSS:3.1)<br><h4>Summary</h4><p>The TRUMPF products that are listed above contain a vulnerable version of Notepad++. This version is<br>being installed for support purposes only, so there is no danger of triggering this vulnerability in<br>Notepad++ during normal operations. Nevertheless, TRUMPF recommends mitigation of this<br>vulnerability.<br>When editing a specially crafted file containing UTF-8 characters in Notepad++ (Versions up to 8.5.6) and converting that file to UTF-16, a buffer overflow vulnerability can be exploited that allows an attacker to execute arbitrary code to take over the whole system.</p><h4>Impact</h4><p>A user who’s editing and converting a specially crafted file using the vulnerable Notepad++ version in<br>the TRUMPF product listed above can allow an attacker to execute code on the local server. This can<br>impact confidentiality, integrity and availability of information on the affected system.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>For additional questions please contact your TRUMPF Service with the PR number 501709.</p>
<p><b>Remediation</b></p>
<p>Please download the replacement tool (<a href="https://trumpf.sharepoint.com/sites/SCC%20Software%20Download%20Portal/Shared%20Documents/Forms/AllItems.aspx?id=%2Fsites%2FSCC%20Software%20Download%20Portal%2FShared%20Documents%2FOutgoing%2DFiles%2FSecurity%2FReplaceTools%5FPR501709&p=true&fromShare=true&ga=1">LINK</a>).</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-003/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-003/</a>
TRUMPF: Multiple products contain vulnerable version of 7-zip2024-01-23T07:00:00+00:002024-01-22T14:33:05+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-005/<h4>VDE-2024-005</h4>
<h4>Vendor(s)</h4>TRUMPF Laser GmbH<br/>TRUMPF Werkzeugmaschinen SE + Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Boost</td><td><= V16.5 </td></tr><tr><td></td><td>FAB-Boost mixed installation</td><td><= V22.7 </td></tr><tr><td></td><td>FAB (Storage)</td><td><= V22.7 </td></tr><tr><td></td><td>Oseon-Boost mixed installation</td><td><= V3.5 </td></tr><tr><td></td><td>Oseon (Storage)</td><td><= V3.2 </td></tr><tr><td></td><td>TruTops Cell</td><td><= V2.31.0 </td></tr><tr><td></td><td>TruTops Classic</td><td><= V12.1 </td></tr><tr><td></td><td>TruTops Mark</td><td><= V6.2 </td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-31102: 7.8 (CVSS:3.1)<br><h4>Summary</h4><p>Under certain circumstances, opening a specially crafted 7-zip package can exploit an integer<br>underflow vulnerability in 7-zip versions up to and including 22.x<br>This vulnerability allows for a remote code execution, resulting in unauthorized (remote) access to,<br>change of data or disruption of the whole service.</p><h4>Impact</h4><p>The stated TRUMPF products include a vulnerable version of 7-zip which can be exploited to take over<br>the server they’re installed on. This can impact confidentiality, integrity and availability of information on<br>the affected system.</p><h4>Solution</h4><p><b></b></p>
<p>Please download the replacement tool (<a href="https://trumpf.sharepoint.com/sites/SCC%20Software%20Download%20Portal/Shared%20Documents/Forms/AllItems.aspx?id=%2Fsites%2FSCC%20Software%20Download%20Portal%2FShared%20Documents%2FOutgoing%2DFiles%2FSecurity%2FReplaceTools%5FPR501709&p=true&fromShare=true&ga=1">LINK</a>).</p>
<p>For additional questions please contact your TRUMPF Service with the PR number 501709.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-005/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-005/</a>
WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products2024-01-22T07:00:00+00:002024-01-22T11:30:17+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-007/<h4>VDE-2024-007</h4>
<h4>Vendor(s)</h4>WAGO GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>All WAGO e!COCKPIT engineering software installation bundles</td><td><= V1.11.2.0 </td></tr><tr><td></td><td>WAGO-I/O-Pro (CODESYS 2.3) engineering software installation</td><td>2.3.9.45 <= 2.3.9.70</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-38545: 9.8 (CVSS:3.1)<br>⠀CVE-2023-24540: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>A heap-based buffer overflow caused by libcurl and wrong whitespace character interpretation in Javascript, both used in CodeMeter Runtime affecting multiple products by WAGO. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations.</p><h4>Impact</h4><p>WAGO controllers and IO-Devices are not affected by WIBU-SYSTEMS Codemeter vulnerabilities. However, due to compatibility reasons to the CODESYS Store, the e!COCKPIT and WAGO-I/O-Pro engineering software are bundled with a WIBU-SYSTEMS Codemeter installation.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Disable using a SOCKS5 proxy:</p>
<ul>
<li>The proxy environment variables HTTP_PROXY, HTTPS_PROXY and ALL_PROXY must not be set to socks5h://</li>
<li>Ensure that CodeMeter is not defined to use the SOCKS5 proxy. The variable ProxyServer must not be start with socks5h://.
<ul>
<li>On Windows, the definition of that variable is in the registry (regedit) under HKLM/SOFTWARE/WIBU-SYSTEMS/CodeMeter/Server/CurrentVersion</li>
<li>On Mac, the definition of that variable is in the file /Library/Preferences/com.wibu.CodeMeter.Server.ini</li>
<li>On Linux, the definition of that variable is in the file /etc/wibu/CodeMeter/Server.ini</li>
<li>On Solaris, the definition of that variable is in the file/etc/opt/CodeMeter/Server.ini</li>
</ul>
</li>
</ul>
<p>For further details on risk mitigation and impact of this vulnerability, please refer to the official WIBU-SYSTEMS Product Security Advisories WIBU-231024-01 and WIBU-231017-01 at Website<a href="https://www.wibu.com/support/security-advisories.html"> https://www.wibu.com/support/security-advisories.html</a>.</p>
<p><b>Remediation</b></p>
<p>Until an update is available for e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) we strongly encourage users to update WIBU-SYSTEMS Codemeter by installing the latest available stand-alone WIBU-SYSTEMS Codemeter Version.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-007/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-007/</a>
Beckhoff: Open redirect in TwinCAT/BSD package authelia-bhf2023-12-13T07:00:00+00:002023-12-11T13:13:13+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-067/<h4>VDE-2023-067</h4>
<h4>Vendor(s)</h4>Beckhoff Automation GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>authelia-bhf included in TwinCAT/BSD</td><td> < 4.37.5</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-6545: 4.3 (CVSS:3.1)<br><h4>Summary</h4><p>With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.</p><h4>Impact</h4><p>By default TwinCAT/BSD based products have Authelia installed and configured to perform the user authentication for web applications hosted on a target. This installation and configuration is provided with the package named “authelia-bhf”. With the affected versions of the package Authelia is configured to accept user-controlled input via URL parameter that specifies a link which can then be a link to an arbitrary external site.</p>
<p>Please note: The sources for the package “authelia-bhf” are a fork from the original Open Source Software called “Authelia”. The vulnerability was exclusively introduced with that fork and has been removed there. It never became part of “Authelia”.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Use firewall or web-proxy technology at your network perimeter which allow internal clients to access only trusted external sites directly.</p>
<p><b>Remediation</b></p>
<p>Please update to a recent version of the affected product.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-067/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-067/</a>
Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-7322023-12-12T07:00:00+00:002023-12-11T12:54:00+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-051/<h4>VDE-2023-051</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MULTIPROG</td><td> all versions</td></tr><tr><td></td><td>ProConOS eCLR (SDK)</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-0757: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR.</p>
<p>ProConOS/ProConOS eCLR controller runtime system has been offered as a Software Development Kit (SDK) to automation suppliers that build their own automation devices. ProConOS/ProConOS eCLR is embedded into automation suppliers’ hardware, real-time operating systems (RTOS), firmware, and I/O systems.<br>The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products.</p>
<p>Logic files generated by MULTIPROG Engineering tool could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program.</p>
<p>Users need to check with their device vendors if they are affected by this attack vulnerability or if the specific device integration mitigates this attack vector.</p><h4>Impact</h4><p>The identified vulnerabilities allow attackers to generate applications or upload them with arbitrary malicious code once they have access to the engineering station or communication to devices using ProConOS eCLR. This vulnerability affects all versions of ProConOS eCLR and MULTIPROG from Phoenix Contact (formerly KW-Software).</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks.</p>
<p>Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products.</p>
<p>Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device.</p>
<p>Users should ensure that logic is always transmitted or stored in protected environments. This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.<br>Project data should only be stored in protected environments.</p>
<p>For general information and recommendations on security measures to protect network-enabled<br>devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application Note Security</a></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-051/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-051/</a>
Phoenix Contact: ProConOS prone to Download of Code Without Integrity Check2023-12-12T07:00:00+00:002023-12-11T13:24:01+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-054/<h4>VDE-2023-054</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MULTIPROG</td><td> all versions</td></tr><tr><td></td><td>ProConOS eCLR (SDK)</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-5592: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR.</p>
<p>ProConOS/ProConOS eCLR controller runtime system has been offered as a Software Development Kit (SDK) to automation suppliers that build their own automation devices. ProConOS/ProConOS eCLR is embedded into automation suppliers’ hardware, real-time operating systems (RTOS), firmware, and I/O systems.<br>The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products.</p>
<p>A CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.</p>
<p>Users need to check with their device vendors if they are affected by this attack vulnerability or if the specific device integration mitigates this attack vector.</p><h4>Impact</h4><p>The identified vulnerability allows to download and execute applications without integrity checks. Potential tampered application might not be discovered.<br>This vulnerability affects all versions of ProConOS eCLR and MULTIPROG from Phoenix Contact (formerly KW-Software).</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks.</p>
<p>Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products.</p>
<p>Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device.</p>
<p>Users should ensure that logic is always transmitted or stored in protected environments.<br>This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.<br>Project data should only be stored in protected environments.</p>
<p>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-054/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-054/</a>
Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource2023-12-12T07:00:00+00:002023-12-11T13:46:32+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-055/<h4>VDE-2023-055</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Automation Worx Software Suite</td><td> all versions</td></tr><tr><td>2700988</td><td>AXC 1050</td><td> all versions</td></tr><tr><td>2701295</td><td>AXC 1050 XC</td><td> all versions</td></tr><tr><td>2700989</td><td>AXC 3050</td><td> all versions</td></tr><tr><td></td><td>Config+</td><td> all versions</td></tr><tr><td>2730844</td><td>FC 350 PCI ETH</td><td> all versions</td></tr><tr><td></td><td>ILC1x0</td><td> all versions</td></tr><tr><td></td><td>ILC1x1</td><td> all versions</td></tr><tr><td></td><td>ILC 3xx</td><td> all versions</td></tr><tr><td></td><td>PC Worx</td><td> all versions</td></tr><tr><td></td><td>PC Worx Express</td><td> all versions</td></tr><tr><td>2700291</td><td>PC WORX RT BASIC</td><td> all versions</td></tr><tr><td>2701680</td><td>PC WORX SRT</td><td> all versions</td></tr><tr><td>2730190</td><td>RFC 430 ETH-IB</td><td> all versions</td></tr><tr><td>2730200</td><td>RFC 450 ETH-IB</td><td> all versions</td></tr><tr><td>2700784</td><td>RFC 460R PN 3TX</td><td> all versions</td></tr><tr><td>2916794</td><td>RFC 470S PN 3TX</td><td> all versions</td></tr><tr><td>2404577</td><td>RFC 480S PN 4TX</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46141: 9.8 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don’t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).</span></p>
<p><span>Logic files generated by Automation Worx could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, the tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program.</span></p>
</div>
</div>
</div><h4>Impact</h4><p>The identified vulnerabilities allow attackers to generate logic files or upload logic with arbitrary malicious code to the classic line industrial controllers once they have access to the engineering station running Automation Worx Software Suite or can communicate with the controllers. Attackers must have network or physical access to the engineering station or controller to exploit this vulnerability.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</p>
<p>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.</p>
<p>It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.</p>
<p>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.</p>
<p>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p>If a classic line controller can’t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.<br>A summary of measures to protect devices based on classic control technology is provided here:<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/74777de2d270be4cb4828ee57173dbd0/Application-note_110637_en_00.pdf" target="_blank">Measures to protect devices based on classic control technology</a></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-055/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-055/</a>
Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource2023-12-12T07:00:00+00:002023-12-11T14:24:41+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-056/<h4>VDE-2023-056</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1151412</td><td>AXC F 1152</td><td> <= 2024.0</td></tr><tr><td>2404267</td><td>AXC F 2152</td><td> <= 2024.0</td></tr><tr><td>1069208</td><td>AXC F 3152</td><td> <= 2024.0</td></tr><tr><td>1246285</td><td>BPC 9102S</td><td> <= 2024.0</td></tr><tr><td>1185416</td><td>EPC 1502</td><td> <= 2024.0</td></tr><tr><td>1185423</td><td>EPC 1522</td><td> <= 2024.0</td></tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2024.0</td></tr><tr><td>1136419</td><td>RFC 4072R</td><td> <= 2024.0</td></tr><tr><td>1051328</td><td>RFC 4072S</td><td> <= 2024.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46142: 8.8 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides authentication and integrity check for the application.<br>An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.</span></p>
<p><span>To successfully exploit this vulnerability, the attacker must have access to the application either with PLCnext Engineer on the Engineering station, the stored application, the application during download or the application storage on the PLC.</span></p>
</div>
</div>
</div><h4>Impact</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>The identified vulnerabilities allow malicious code to PLCnext Control once they have access to the engineering station running PLCnext Engineer or can communicate with the controllers.<br>Attackers must have authenticated network or physical access to the engineering station or controller to exploit this vulnerability.</span></p>
</div>
</div>
</div><h4>Solution</h4><p><b>Mitigation</b></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</span></p>
<p><span>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.</span></p>
<p><span>This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.</span></p>
<p><span>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.</span></p>
<p><span>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: </span><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.</span></p>
<p><span>For more information’s refer to the PLCnext Info Centers.</span></p>
<p><span>Concepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description </span><span>Generic security concept</span><span>.</span></p>
<p><strong>Remediation</strong></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control security feature set and hardening are continuously improved.<br>Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage <a href="https://phoenixcontact.com/psirt" target="_blank">https://phoenixcontact.com/psirt</a></span><span> </span><span>for updated information’s and firmware regularly.</span></p>
</div>
</div>
<div class="section">
<div class="layoutArea">
<div class="column">
<p><span>We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-056/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-056/</a>
Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC2023-12-12T07:00:00+00:002023-12-11T14:39:37+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-057/<h4>VDE-2023-057</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Automation Worx Software Suite</td><td> all versions</td></tr><tr><td>2700988</td><td>AXC 1050</td><td> all versions</td></tr><tr><td>2701295</td><td>AXC 1050 XC</td><td> all versions</td></tr><tr><td>2700989</td><td>AXC 3050</td><td> all versions</td></tr><tr><td></td><td>Config+</td><td> all versions</td></tr><tr><td>2730844</td><td>FC 350 PCI ETH</td><td> all versions</td></tr><tr><td></td><td>ILC1x0</td><td> all versions</td></tr><tr><td></td><td>ILC1x1</td><td> all versions</td></tr><tr><td></td><td>ILC 3xx</td><td> all versions</td></tr><tr><td></td><td>PC Worx</td><td> all versions</td></tr><tr><td></td><td>PC Worx Express</td><td> all versions</td></tr><tr><td>2700291</td><td>PC WORX RT BASIC</td><td> all versions</td></tr><tr><td>2701680</td><td>PC WORX SRT</td><td> all versions</td></tr><tr><td>2730190</td><td>RFC 430 ETH-IB</td><td> all versions</td></tr><tr><td>2730200</td><td>RFC 450 ETH-IB</td><td> all versions</td></tr><tr><td>2700784</td><td>RFC 460R PN 3TX</td><td> all versions</td></tr><tr><td>2916794</td><td>RFC 470S PN 3TX</td><td> all versions</td></tr><tr><td>2404577</td><td>RFC 480S PN 4TX</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46143: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don’t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).</p>
<p>A CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.</p><h4>Impact</h4><p>The identified vulnerabilities allow to download and execute applications to the classic line industrial controllers without integrity checks.</p>
<p>Potential tampered application might not be discovered.</p><h4>Solution</h4><p><b>Temporary Fix / Mitigation</b></p>
<p>Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</p>
<p>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.</p>
<p>It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.</p>
<p>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.</p>
<p>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p>If a classic line controller can’t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.<br>A summary of measures to protect devices based on classic control technology is provided here: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/74777de2d270be4cb4828ee57173dbd0/Application-note_110637_en_00.pdf" target="_blank">Measures to protect devices based on classic control technology</a></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-057/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-057/</a>
Phoenix Contact: PLCnext Control prone to download of code without integrity check2023-12-12T07:00:00+00:002023-12-11T15:26:58+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-058/<h4>VDE-2023-058</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1151412</td><td>AXC F 1152</td><td> <= 2024.0</td></tr><tr><td>2404267</td><td>AXC F 2152</td><td> <= 2024.0</td></tr><tr><td>1069208</td><td>AXC F 3152</td><td> <= 2024.0</td></tr><tr><td>1246285</td><td>BPC 9102S</td><td> <= 2024.0</td></tr><tr><td>1185416</td><td>EPC 1502</td><td> <= 2024.0</td></tr><tr><td>1185423</td><td>EPC 1522</td><td> <= 2024.0</td></tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2024.0</td></tr><tr><td>1136419</td><td>RFC 4072R</td><td> <= 2024.0</td></tr><tr><td>1051328</td><td>RFC 4072S</td><td> <= 2024.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46144: 7.7 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides authentication and integrity check for the application.<br>An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.</span></p>
<p><span>PLCnext Engineer warns users if the PLC logic is different from the current loaded project when Online mode is activated. In addition, during loading an application on the PLC, a Project Integrity Warning logging entry is generated.<br>A skilled attacker might be able to manipulate the application in a special crafted way that the integrity check will not be able to recognize tampering attempts.</span></p>
</div>
</div>
</div><h4>Impact</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>The identified vulnerabilities allow to download and execute manipulated applications on PLCnext Control. Potential tampered applications might not be discovered.</span></p>
<p><span></span></p>
<div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span></span></p>
</div>
</div>
<div class="layoutArea">
<div class="column"></div>
</div>
</div>
</div>
</div>
</div><h4>Solution</h4><p><b>Mitigation</b></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</span></p>
<p><span>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.</span></p>
<p><span>This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.</span></p>
<p><span>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.</span></p>
<p><span>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note:<br></span><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p><span>PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management, and integrity checks. These features can reduce the attack surface of this vulnerability.</span></p>
<p><span>For more information’s refer to the PLCnext Info Centers.</span></p>
</div>
</div>
<div class="section">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides project data integrity checks, information’s about the default configuration are provided in the topic </span><span>Checking project data integrity.</span></p>
</div>
</div>
</div>
</div>
<p><b>Remediation</b></p>
<div class="page" title="Page 4">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control security feature set and hardening are continuously improved.<br>Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage </span><span>https://phoenixcontact.com/psirt </span><span>for updated information’s and firmware regularly.</span></p>
<p><span></span></p>
</div>
</div>
<div class="layoutArea">
<div class="column">
<p><span>We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.</span></p>
</div>
</div>
</div><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-058/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-058/</a>
Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability2023-12-11T07:00:00+00:002023-11-09T11:04:47+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-049/<h4>VDE-2023-049</h4>
<h4>Vendor(s)</h4>Frauscher Sensortechnik GmbH<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>-</td><td>FDS102 for FAdC/FAdCi</td><td>2.10.0 <= 2.10.1</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-5500: 8.8 (CVSS:3.1)<br><h4>Summary</h4><p>Frauscher Sensortechnik GmbH FDS102 for FAdC/FAdCi v2.10.1 is vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface by using an authenticated session cookie.</p><h4>Impact</h4><p>This vulnerability may lead to a full compromise of the FDS102 device.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Security-related application conditions SecRAC</p>
<p>The railway operator must ensure that only authorised personnel or people in the company of authorised personnel have access to the Frauscher Diagnostic System FDS102.</p>
<p>The recommendation is to connect the Frauscher Diagnostic System FDS102 to a network of category 2. If the Frauscher Diagnostic System FDS102 is connected to a network of category 3 (according to EN 50159:2010), then additional protective measures must be added.</p>
<p><b>Remediation</b></p>
<p>Update to FDS102 v2.10.2 or higher</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-049/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-049/</a>
CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products2023-12-05T14:25:34+00:002024-02-29T13:32:38+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-066/<h4>VDE-2023-066</h4>
<h4>Vendor(s)</h4>CODESYS GmbH<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>CODESYS Control for BeagleBone SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for emPC-A/iMX6 SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for IOT2000 SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for Linux ARM SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for Linux SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for PFC100 SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for PFC200 SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for PLCnext SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for Raspberry Pi SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Control for WAGO Touch Panels 600 SL</td><td> < 4.11.0.0</td></tr><tr><td></td><td>CODESYS Runtime Toolkit for Linux or QNX</td><td> < 3.5.19.50</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-6357: 8.8 (CVSS:3.1)<br><h4>Summary</h4><p><em><strong>UPDATE 29.02.2024: Removed "This version is planned for January 2024." from Solution as the updated version is released.</strong></em><br><br>On CODESYS Control runtimes running on Linux or QNX operating systems, successfully authenticated PLC programmers can utilize SysFile or CAA-File system libraries to inject calls to additional shell functions.</p><h4>Impact</h4><p>The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Control programs can access local or remote IOs, communication interfaces such as serial ports or sockets, and local system functions such as the file system, the real-time clock and other OS functions. <br>A successfully authenticated control programmer could exploit this vulnerability to inject calls to additional operating system shell functions via the SysFile or CAA file system libraries.<br>Only CODESYS Control runtime systems running on Linux or QNX operating systems are affected by this vulnerability.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>To exploit this vulnerability, a successful login with according user rights to download a PLC application is required. The online user management therefore protects from exploiting this security vulnerability.</p>
<p>CODESYS GmbH strongly recommends using the online user management. This not only prevents an attacker from downloading virulent code or sending malicious requests, but also suppresses starting, stopping, debugging or other actions on a known working application that could potentially disrupt a machine or system. As of version 3.5.17.0, the online user management is enforced by default.</p>
<p><b>Remediation</b></p>
<p>Update the following products to version 3.5.19.50: <br> • CODESYS Runtime Toolkit <br> <br> Update the following products to version 4.11.0.0. <br> • CODESYS Control for BeagleBone SL <br> • CODESYS Control for emPC-A/iMX6 SL <br> • CODESYS Control for IOT2000 SL <br> • CODESYS Control for Linux ARM SL <br> • CODESYS Control for Linux SL <br> • CODESYS Control for PFC100 SL<br><span>• </span>CODESYS Control for PFC200 SL <br> • CODESYS Control for PLCnext SL <br> • CODESYS Control for Raspberry Pi SL <br> • CODESYS Control for WAGO Touch Panels 600 SL</p>
<p>The products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.</p>
<p>Alternatively, as well as for all other products, you will find further information on obtaining the software update in the <a href="https://www.codesys.com/download" target="_blank">CODESYS Update area</a>.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-066/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-066/</a>
Pilz: Electron Vulnerabilities in PASvisu and PMI v8xx2023-12-05T07:06:10+00:002023-12-05T07:06:29+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-059/<h4>VDE-2023-059</h4>
<h4>Vendor(s)</h4>Pilz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>PASvisu</td><td> < 1.14.1</td></tr><tr><td>266807, 266812, 266815</td><td>PMI v8xx</td><td> <= 2.0.33992</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-5217: 8.8 (CVSS:3.1)<br>⠀CVE-2023-5218: 8.8 (CVSS:3.1)<br><h4>Summary</h4><p>The Builder and Viewer components of the product PASvisu are based on the 3rd-party-component Electron. Electron contains several other open-source components which are affected by vulnerabilities. The vulnerabilities may enable an attacker to gain full control over the system. The vulnerabilities can be exploited locally or over the network.</p><h4>Impact</h4><p>Displaying of a specially crafted HTML page can lead to heap buffer overflow or heap corruption. In a worst-case scenario, a successful exploitation of the vulnerabilities can lead to execution of arbitrary code using the privileges of the user running the affected software. In the case of the PASvisu Builder, the vulnerability can only be exploited locally.</p><h4>Solution</h4><p><strong>Product-specific Countermeasures</strong></p>
<ul>
<li>Install the fixed product version as soon as it is available. Please visit the Pilz eShop<br>(https://www.pilz.com/en-INT/eshop) to check for the fixed version.</li>
<li>Only use project files from trustworthy sources.</li>
<li>Protect project files against modification by unauthorized users.</li>
<li>Limit network access to legitimate connections by using a firewall or similar measures. Use<br>password protection on the online project.</li>
</ul><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-059/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-059/</a>