WEIDMUELLER: WI Manager affected by fdtContainer vulnerability

A vulnerability has been discovered in the fdtCONTAINER component and application by M&M Software GmbH. As this software is part of the Weidmüller FDT/DTM Software with WI Manager, this Weidmueller software is affected by the above vulnerability as well.

VDE-2021-002 (2021-01-20 14:33 UTC+0100)

CVE Identifier

CVE-2020-12525

Affected Vendors

Weidmüller

Affected Products

WI Manager with version <= 2.5.1

Vulnerability Type

Deserialization of Untrusted Data (CWE-502)

Summary

A vulnerability has been discovered in the fdtCONTAINER component and application by M&M Software GmbH.
As this software is part of the Weidmüller FDT/DTM Software with WI Manager, this Weidmueller software is affected by the above vulnerability as well.

The fdtCONTAINER component exchanges binary data blobs with the WI Manager. The WI Manager saves these binary data blobs into a project file.

If an attacker gets write access to the project file, the project file can be manipulated to contain malicious code.

Impact

If a manipulated project file is loaded by the WI Manager, malicious code can get executed with the user rights of the WI Manager without notice.
For further information refer to:
VDE-2020-048: "WAGO/M&M Software: Deserialization of untrusted data in fdtContainer"

Solution

Not available yet.

Mitigation

  1. Exchange project data only via secure exchange services
  2. Use appropriate means to protect the project storage from unauthorized manipulation
  3. Do not open project data from an unknown source
  4. Reduce the user rights of the WI Manager to the necessary minimum

Reported by

M&M Software GmbH

Coordinated by CERT@VDE