Beckhoff: Open redirect in TwinCAT/BSD package authelia-bhf
Monitor4.3VDE-2023-067Dec 13, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
An open redirect vulnerability exists in the Authelia login component of TwinCAT/BSD (versions before 4.37.5). The HTTPS request to the login page accepts user-controlled input that specifies a link to an external site, allowing attackers to redirect users to malicious pages for credential harvesting.
What this means
What could happen
An attacker could craft a malicious link that tricks an operator into visiting a fake login page, potentially stealing engineering credentials or workstation access. This affects remote management of Beckhoff automation systems.
Who's at risk
Beckhoff automation system operators and engineering teams who use TwinCAT/BSD for programming, configuration, or remote management of PLCs and industrial controllers. Organizations running versions before 4.37.5 are vulnerable to credential theft through phishing redirects.
How it could be exploited
An attacker sends a crafted HTTPS URL to a TwinCAT/BSD user that includes a redirect parameter pointing to an external malicious site. When the user clicks the link in an email or message, the Authelia login page redirects them to the attacker's site, where a fake login form captures their credentials.
Prerequisites
- User must click a malicious link sent by attacker
- Network access to the TwinCAT/BSD Authelia login page
- No authentication required to trigger the redirect
remotely exploitableno authentication requiredlow complexityaffects engineering credentials
Affected products (1)
ProductAffected VersionsFix Status
authelia-bhf included in TwinCAT/BSD<4.37.54.37.5
Remediation & Mitigation
0/2
Do now
0/1HARDENINGConfigure firewall or web proxy rules to block outbound HTTPS traffic from engineering workstations to untrusted external domains, allowing only approved sites
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate TwinCAT/BSD to version 4.37.5 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e0b75dd9-a737-4b67-a541-6806a54ad5d7