Beckhoff TwinCAT/BSD Local Command Execution via Input Validation Bypass (CVE-2024-41174)

Key Information Vulnerability Description Vulnerability ID: VDE-2024-048 Release Date: 2024-08-27 10:00 (CEST) Update Date: 2024-08-27 08:58 (CEST) Vendor: Beckhoff Automation GmbH & Co. KG Affected Products: - Product: Package IPC-Diagnostics-www - Affected Versions: < 2.1.1.0 - Product: TwinCAT/BSD - Affected Versions: < 14.1.2.0_153968 Vulnerability Details Description: By default, the device-specific Web-based Management (WBM) interface (Beckhoff Device Manager UI) for TwinCAT/BSD-based products is enabled and accessible remotely or locally. When accessed locally, an attacker can bypass input validation by entering specially crafted input, which then allows execution of local commands with administrative privileges. CVE ID: CVE-2024-41174 Severity: 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) Weakness: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) Impact Description: A local attacker with low privileges can bypass input validation by entering specially crafted input, leading to execution of local commands with administrative privileges. Solution Mitigation: Avoid having user accounts with login privileges except for administrative access. By default, TwinCAT/BSD is pre-configured with user accounts having lower privileges, but these accounts have no passwords, resulting in login access being denied. Avoid running third-party applications on the target system that have not been thoroughly audited, regardless of what the user is running. Remediation: Update affected products to the latest versions. In general, Beckhoff recommends updating the entire TwinCAT/BSD operating system to the latest version, rather than individual packages. For information on updating existing TwinCAT/BSD installations, refer to the provided link. You can also determine the operating system version via the command line. This can also be viewed through the Beckhoff Device Manager UI. Note that when upgrading from a major TwinCAT/BSD version 12, two consecutive upgrades are required. Reporter CERT@VDE: Coordinated with Beckhoff Andrea Palanca: Reported via Nozomi Networks

Goal Reached Thanks to every supporter — we hit 100%!

Beckhoff TwinCAT/BSD Local Command Execution via Input Validation Bypass (CVE-2024-41174)