Beckhoff TwinCAT/BSD Local Authentication Bypass (CVE-2024-41173)

Key Information Vulnerability Description Vulnerability ID: VDE-2024-045 Release Date: 2024-08-27 10:00 (CEST) Update Date: 2024-08-27 08:58 (CEST) Vendor: Beckhoff Automation GmbH & Co. KG Affected Products: - IPC Diagnostics package - TwinCAT/BSD - Versions: < 2.0.0.1, < 14.1.2.0_153968 Vulnerability Details Vulnerability Type: Local Authentication Bypass Description: By default, the device-specific web interface (WBM) for TwinCAT/BSD-based products, developed by Beckhoff and known as Beckhoff Device Manager UI, is enabled and accessible remotely or locally. When accessed locally, the authentication mechanism of the web interface can be bypassed by any local user, regardless of their privileges, allowing them to gain administrator-level access through this mechanism. CV Number CV Number: CVE-2024-41173 Severity Severity: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Weakness Weakness: Authentication Bypass Using Alternate Path or Channel (CWE-288) Impact Impact: Low-privileged attackers can bypass the web interface’s authentication mechanism and operate with administrator privileges. Remediation Mitigation: Avoid the existence of user accounts with login privileges, except for administrator access. By default, TwinCAT/BSD is pre-configured with user accounts having lower privileges, but none of them have passwords, resulting in login access being denied. Avoid running third-party applications on the target that have not been thoroughly audited, regardless of what the user is running. Fix: Update affected products to the latest version. Generally, Beckhoff recommends updating the entire TwinCAT/BSD operating system to the latest version rather than individual packages. For information on updating existing TwinCAT/BSD installations, refer to the provided link. You can also determine the operating system version via the command line. This can also be viewed through the Beckhoff Device Manager UI. Note that when upgrading from a major TwinCAT/BSD version 12, two consecutive upgrades are required. Reporter Reporter: CERT@VDE in coordination with Beckhoff Reporter: Andrea Palanca of Nozomi Networks

Goal Reached Thanks to every supporter — we hit 100%!

Beckhoff TwinCAT/BSD Local Authentication Bypass (CVE-2024-41173)