Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.
PC Worx / -Express is vulnerable to a “zip slip” style vulnerability when loading a project file.
An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.9.0.
Critical vulnerabilities have been discovered in the utilized component log4net by Apache Software Foundation.
UPDATE A: Remediation: added fixed VisuNet Products
The Weidmueller Remote I/O (IP20) fieldbus couplers (u-remote) are affected by several vulnerabilities of the third-party TCP/IP Niche stack. An attacker may use crafted IP packets to cause a denial of service or breach of integrity of the affected products. Weidmueller recommends restricting network access from the internet and also locally to reduce the attack vector to a manageable minimum.
The affected products contain a CODESYS Control runtime system in version V2. They are therefore affected by the
vulnerability described in CODESYS Advisory 2021-06. It provides a communication server for the communication with clients like the CODESYS Development System.
The 9400 servo inverters is only affected if the communication Path via the inserted EtherNet Module E94AYCEN on slot MXI1 or MXI2 is used. If the Module E94AYCEN is used, the following Versions are affected.
Product Identification: E94xSHxxx (Single Drive, High Line)
Product Identification: E94xMHxxx (Multi Drive, High Line)
Remark: If the product identification of your 9400 product does not fit to the above mentioned identification, please contact Lenze at Security.de@Lenze.com.
The Versions P (power supply module) and R (regenerative power supply module) are not affected. Furthermore, the Variant P (PLC) and the Variant S (StateLine) are not affected. The communication paths via the diagnostic interface X6, the system bus (CAN) X1 or the field buses (other than the named Ethernet module) that can be plugged into the module slots MXI1 or MXI2 are not affected.
The focus is therefore on 9400 servo inverters with the product-identification E94x{S/M}{H}... with a plugged in Ethernet module E94AYCEN... in module slot MXI1 or MXI2 and communication with the Engineer-Tools via exactly this channel.
In addition to the standard tool Engineer, there is also a special Version of the PLC Designer (Version 0.x). The communication path to the PLC Designer is not considered with the planned update and the vulnerabilities here remain even after the update. Here, the customer must provide a secure Environment, see Mitigation.
Promass 83 devices utilizing 499ES EtherNet/IP (ENIP) Stack by Real Time Automation (RTA) are vulnerable to a stack-based buffer overflow.
Update A, 2021-10-07:
The affected product families are cameras SBOC/SBOI and the Controller SBRD. The vulnerabilities are located within the Ethernet IP Stack from EIPStackGroup OpENer Ethernet/IP.