WAGO M&M Software fdtCONTAINER (Update C)

Monitor7.3ICS-CERT ICSA-21-021-05Jan 21, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Multiple field device configuration and management software products from WAGO, Emerson, Mitsubishi Electric, Weidmüller, and Pepperl+Fuchs are vulnerable to arbitrary code execution through insecure deserialization of project files (CWE-502). An attacker can craft a malicious project file that, when opened by an authorized user, executes arbitrary code on the workstation with the user's privileges. The affected products include fdtCONTAINER (versions 3.5.x, 4.5.x–4.6.x), dtmINSPECTOR (based on FDT 1.2.x), Weidmüller WI Manager (up to 2.5.1), Mitsubishi Electric MELSOFT FieldDeviceConfigurator (up to 1.05 F), Pepperl+Fuchs PACTware (5.0–5.0.5.31), and Emerson Rosemount RTIS. Most affected versions do not have fixes available.

What this means

What could happen

If an attacker tricks an authorized user into opening a malicious project file, the attacker's code will run on that workstation with the user's privileges, potentially compromising the engineering workstation and gaining access to connected industrial equipment or control system data.

Who's at risk

This affects engineers and technicians in the power generation, transmission, and distribution sectors (energy) who use WAGO, Emerson, Mitsubishi Electric, Weidmüller, or Pepperl+Fuchs field device configuration and management tools to manage PLCs, transmitters, and other intelligent field devices. It specifically impacts workstations running fdtCONTAINER, WI Manager, MELSOFT FieldDeviceConfigurator, PACTware, or Rosemount RTIS.

How it could be exploited

An attacker crafts a malicious fdtCONTAINER project file by exploiting insecure deserialization (CWE-502). The attacker uses social engineering to get a legitimate engineer to open the file. When opened, the file deserializes untrusted data that executes arbitrary code on the workstation with the engineer's privileges.

Prerequisites

<parameter name="item">Valid user account on a workstation with fdtCONTAINER, dtmINSPECTOR, WI Manager, MELSOFT FieldDeviceConfigurator, PACTware, or RTIS installed

<parameter name="item">Affects engineering workstations that can reach production control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (6)

6 pending

ProductAffected VersionsFix Status

fdtCONTAINER:≥ 4.6.0 | =< 4.6.20304.x; ≥ 3.5.0 | =< 3.5.20304.x; ≥ 4.5.0 | =< 3.5.20304.x and 3 moreNo fix yet

dtmINSPECTOR:3 (Based on FDT 1.2.x)No fix yet

WeidmÃ¼ller WI Manager: up to and including≤ 2.5.1No fix yet

Mitsubishi Electric MELSOFT FieldDeviceConfigurator:≤ 1.05 FNo fix yet

PEPPERL+FUCHS PACTware: 5.0 up to and including=> 5.0 | ≤ 5.0.5.31No fix yet

Emerson Rosemount Transmitter Interface Software (RTIS) SKUs: 04088-9000-0001 4088-9000-0002 and 7000003-31204088-9000-0001 | 4088-9000-0002 | 7000003-312No fix yet

Remediation & Mitigation

Update the fdtCONTAINER component/fdtCONTAINER application to a version that provides a more secure deserialization of the project data. This version will still use a deprecated serialization technology but will fix the currently known attack vector and will be compatible with existing, non-manipulated project files. Update the fdtCONTAINER component/fdtCONTAINER application to a version (fdtCONTAINER component: 3.7 or newer, fdtCONTAINER application: 4.7 or newer) that provides a secure deserialization of the project data with an updated serialization technology. This will break the compatibility to existing, non-manipulated project files.

CVEs (1)

CVE-2020-12525

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2792312-2686-4a7c-a03a-9cfde6b9a455