Share: Email | Twitter

ID

VDE-2022-059

Published

2023-01-16 10:00 (CET)

Last update

2023-01-13 11:12 (CET)

Vendor(s)

HIMA Paul Hildebrandt GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
892042400 HOPCS <= 3.56.4
894000016 X-OPC A+E <= 5.6.1210
894000015 X-OPC DA <= 5.6.1210
895900001 X-OTS <= 1.32.550

Summary

Unquoted Windows search path vulnerability in the below mentioned Software for Windows might allow local users to gain privileges via a malicious .exe file.


Last Update:

Jan. 11, 2023, 7:45 a.m.

Weakness

Unquoted Search Path or Element  (CWE-428) 

Summary

In HIMA PC based Software in multiple versions an unquoted Windows search path vulnerability might allow local users to gain privileges via a malicious .exe file and gain full access to the system.


Impact

The vulnerability can be used to run a malicious file with administrator privileges while being logged in as a normal user. Therefore, any action which is not restricted by other measures could be taken.

Due to the security manual HIMA recommends to run the OPC Server and the programming environment on different PCs.

The OPC can only influence the data defined in the project. It does not have the ability to change the project. For this reason HIMA estimates the influence of the OPC Server on the program of the safety PLC (Programmable Logic Controller) as unlikely.

Solution

Mitigation

Ensure that Registry can only be accessed with administrator privileges.
HOPCS: Install in a path without spaces and/or select a user with low privileges in the DCOM settings dcomcnfg/Identity.
When using X-OPC or X-OTS it is recommended to protect the user program, with the system variables (see Automation Security Manual “3.2.2.2 Access Restrictions”):

  • Forcing Deactivation
  • Read-only in RUN
  • Reload Deactivation

Remediation

All present products will be fixed. Updates are under development.
Note: HOPCS is not suitable for present HIMA Products and is not planned to be fixed.

Reported by

This vulnerability has been found by a HIMA customer.
Case handled by PSIRT@hima.com in cooperation with CERT@VDE