Share: Email | Twitter

ID

VDE-2021-002

Published

2021-01-20 14:32 (CET)

Last update

2021-01-20 14:32 (CET)

Vendor(s)

Weidmueller Interface GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
WI Manager <= 2.5.1

Summary

A vulnerability has been discovered in the fdtCONTAINER component and application by M&M Software GmbH.
As this software is part of the Weidmüller FDT/DTM Software with WI Manager, this Weidmueller software is affected by the above vulnerability as well.

The fdtCONTAINER component exchanges binary data blobs with the WI Manager. The WI Manager saves these binary data blobs into a project file.

If an attacker gets write access to the project file, the project file can be manipulated to contain malicious code.


Last Update:

March 16, 2021, 9:37 a.m.

Weakness

Deserialization of untrusted data  (CWE-502) 

Impact

If a manipulated project file is loaded by the WI Manager, malicious code can get executed with the user rights of the WI Manager without notice.

For more information please refer to:

VDE-2020-048: M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer

Solution

Remediation

none yet

Mitigation

  • Exchange project data only via secure exchange services
  • Use appropriate means to protect the project storage from unauthorized manipulation
  • Do not open project data from an unknown source
  • Reduce the user rights of the WI Manager to the necessary minimum

Reported by

M&M Software GmbH

Coordinated by CERT@VDE