• 1 (current)
  • 2

The Miele Benchmark Programming Tool on a Microsoft Windows operating system, selects a folder by default upon installation that is writable for all users (C:\\MIELE_SERVICE). After the installation of the tool, users without administrative privileges are able to exchange or delete executable files in this path.



Critical vulnerabilities have been discovered in the utilized component Remote Desktop Client by Microsoft.
For more information see: https://msrc.microsoft.com/update-guide/vulnerability/CVE- 2022-21990



Several Pilz products use Versions V2 and V3 of the CODESYS runtime system from CODESYS GmbH, which enables the execution of IEC 61131-3 PLC programs. These runtime environments contain several vulnerabilities, which an attacker can exploit via the network. Successful exploitation of the vulnerabilities results in reduced availability and, in a worst case, to the insertion of program code.



The software product PMC programming tool from Pilz is based on the software CODESYS Development System from CODESYS GmbH. This software is affected by several vulnerabilities, which an attacker can exploit locally or via the network. This means that, in a worst case, attackers could execute arbitrary program code on the PC on which the PMC programming tool is used.



Bender is publishing this advisory to inform customers about multiple security vulnerabilities in the Charge Controller product families.
Bender has analysed the weaknesses and determined that the electrical safety of the devices is not concerned. To Benders knowledge, proof-of-concept code or exploits for the weaknesses are not available to the public.
Bender considers some weaknesses to be critical and thus need to be patched immediately. Therefore, patches are provided as maintenance branch versions 5.11.2, 5.12.5, 5.13.2 and 5.20.2. Future software releases will of course already include these patches.



The software product PMC programming tool from Pilz is based on the software CODESYS Development System from CODESYS GmbH. This software is affected by several vulnerabilities, which an attacker can exploit locally or via the network. This means that, in a worst case, attackers could execute arbitrary program code on the PC on which the PMC programming tool is used.



Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.
For the mGuard Device Manager only the mdm Installer for Windows is affected.



FL MGUARD and TC MGUARD devices are affected by a possible infinite loop within a OpenSSL library method for parsing elliptic curve parameters. This method is used on parsing cryptographic certificates that contain elliptic curve public keys in compressed form, which may occur on:

  • Parsing client certificates for HTTPS administrative login
  • Parsing client certificates for SSH administrative login
  • Parsing peer certificates for IPsec VPN connections
  • Parsing certificates of external servers, including:
    • OpenVPN server
    • Configuration pull server
    • Update server

Attackers could try to exploit the vulnerability from remote.
For the mGuard Device Manager only the mdm Installer for Windows is affected.

UPDATE A: Added FL MGUARD 1102 and FL MGUARD 1105:

On FL MGUARD 1102 and FL MGUARD 1105 with mGuardNT 1.5.2 and older, the device can
be affected through an adapted certificate. This can occur on connection with a remote logging
server, configured for certificate authentication, or an remote authentication server at certificate
based authentication.



  • 1 (current)
  • 2

Feeds

By Vendor

Archive

2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0