OTPulse
FeedAboutContact

Pilz: Multiple products prone to libwebp vulnerability

Act Now8.8VDE-2023-048Dec 5, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Pilz PASvisu, PIT Transponder Manager, and PMI v8xx products contain a vulnerability in the third-party libwebp image decoder component. The flaw in WebP image processing allows an attacker to execute arbitrary code with the privileges of the affected application, potentially leading to full system compromise. Depending on the product, exploitation may be local or remote. This vulnerability is actively exploited in the wild.

What this means
What could happen
An attacker could exploit a flaw in the libwebp image decoder to run arbitrary code on devices running PASvisu, PIT Transponder Manager, or PMI systems. This could allow the attacker to take control of safety-critical visualization and monitoring systems, potentially disrupting plant operations or safety functions.
Who's at risk
Water utilities and municipal power operators using Pilz safety control and visualization products should be concerned. Specifically, this affects operators of PASvisu operator interfaces and dashboards, PIT Transponder Manager for remote I/O management, and PMI v8xx modular safety controller systems. Any facility using these for process monitoring, alarm display, or safety logic execution is at risk.
How it could be exploited
An attacker could craft a malicious WebP image file and deliver it to a user or system running one of the affected Pilz products. When the product decodes the image, the attacker's code executes with the privileges of the running application. For network-accessible products like PASvisu, the attack could be delivered remotely; for others, local access or user interaction may be required.
Prerequisites
  • User interaction or network access to a system running an affected Pilz product
  • Ability to deliver or trick the system into processing a malicious WebP image file
  • For PASvisu: network access to the Runtime service
actively exploited (KEV)remotely exploitable (for network-accessible products)high CVSS (8.8)affects safety systemsno patch available yet
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
PASvisu < 1.14.1<1.14.1No fix (EOL)
PIT Transponder Manager < 1.2.0<1.2.0No fix (EOL)
PMI v8xx <= 2.0.33992≤ 2.0.33992No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/3
WORKAROUNDRestrict network access to PASvisu Runtime to only legitimate connections using firewall rules
HARDENINGConfigure and enforce user authentication and administrative access controls on PASvisu and other affected products
HOTFIXMonitor Pilz eShop for fixed versions of PASvisu, PIT Transponder Manager, and PMI v8xx and deploy patches immediately upon availability
View full CERT@VDE advisory
API: /api/v1/advisories/1363623e-086f-420e-8825-5b48f17b2332
Pilz: Multiple products prone to libwebp vulnerability | CVSS 8.8 - OTPulse