The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to change some special parameters without authentication.
Multiples issues exist in mymbCONNECT24 and mbCONNECT24
Several vulnerabilities have been discovered in the utilized component WIBU-SYSTEMS CodeMeter Runtime.
For detailed information please refer to WIBU-SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html
A number of Pilz software tools use the CodeMeter Runtime application from WIBU-SYSTEMS AG to manage licences. This application contains a number of vulnerabilities, which enable an attacker to change and falsify a licence file, prevent normal operation of Code- Meter (Denial-of-Service) and potentially execute arbitrary code.
Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT installation. All currently existing e!COCKPIT installation bundles contain vulnerable versions of WIBU-SYSTEMS Codemeter.
Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.
Phoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html.
A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart to correct.
The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code.
The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.