Share: Email | Twitter

ID

VDE-2023-067

Published

2023-12-13 08:00 (CET)

Last update

2023-12-11 14:13 (CET)

Vendor(s)

Beckhoff Automation GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
authelia-bhf included in TwinCAT/BSD < 4.37.5

Summary

With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.


Last Update:

Dec. 11, 2023, 11:26 a.m.

Weakness

URL Redirection to Untrusted Site ('Open Redirect')  (CWE-601) 

Summary

The package authelia-bhf included in Beckhoffs TwinCAT/BSD is prone to an open redirect that allows a remote unprivileged attacker to redirect a user to another site. This may have limited impact to integrity and does solely affect anthelia-bhf the Beckhoff fork of authelia.


Impact

By default TwinCAT/BSD based products have Authelia installed and configured to perform the user authentication for web applications hosted on a target. This installation and configuration is provided with the package named “authelia-bhf”. With the affected versions of the package Authelia is configured to accept user-controlled input via URL parameter that specifies a link which can then be a link to an arbitrary external site.

Please note: The sources for the package “authelia-bhf” are a fork from the original Open Source Software called “Authelia”. The vulnerability was exclusively introduced with that fork and has been removed there. It never became part of “Authelia”.

Solution

Mitigation

Use firewall or web-proxy technology at your network perimeter which allow internal clients to access only trusted external sites directly.

Remediation

Please update to a recent version of the affected product.

Reported by

Beckhoff Automation thanks Benedikt Kühne, Siemens Energy for reporting the issue and for support and efforts with the coordinated disclosure. Also Beckhoff Automation thanks CERT@VDE for coordination.
The Beckhoff Advisory can be found at https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2023-001.pdf