OTPulse

Beckhoff: Local authentication bypass in IPC-Diagnostics package included in TwinCAT/BSD operating system

Plan PatchCVSS 7.8VDE-2024-045Aug 27, 2024
Beckhoff
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

TwinCAT/BSD-based industrial PCs and IPC Diagnostics packages contain an authentication bypass in the Beckhoff Device Manager web interface. When accessed locally, any user with shell access can bypass authentication and gain full administrative privileges over the web management interface, regardless of their local user permissions. This allows an attacker to modify system settings, disable safety features, or alter process control parameters. The Device Manager interface is enabled by default and can also be accessed remotely. The vulnerability affects IPC Diagnostics versions prior to 2.0.0.1 and TwinCAT/BSD versions prior to 14.1.2.0_153968.

What this means
What could happen
A local user on a TwinCAT/BSD industrial PC can bypass authentication and gain full administrative control of the Beckhoff Device Manager web interface, potentially allowing them to alter system configuration, stop processes, or disable safety settings.
Who's at risk
Water utilities and electrical utilities running Beckhoff TwinCAT/BSD-based industrial PCs for process monitoring, control, or data acquisition (such as PLC controllers, RTUs, and HMI systems). Any facility using Beckhoff IPC devices with the Diagnostics package or Device Manager enabled is affected.
How it could be exploited
An attacker with local shell access to a TwinCAT/BSD system (via physical access, compromised account, or malware) can access the web-based management interface and exploit a flaw that grants administrative privileges without proper authentication, even if the attacker's local account has restricted permissions.
Prerequisites
  • Local shell access to the TwinCAT/BSD system (either directly or via a compromised low-privilege user account)
  • Physical or network access to the industrial PC running TwinCAT/BSD
  • IPC Diagnostics or Device Manager web interface must be enabled (default configuration)
Locally exploitable (requires local access)Low complexity exploitationLeads to full administrative controlDefault configuration is vulnerableAffects process control and automation systems
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
IPC Diagnostics package <2.0.0.1<2.0.0.12.0.0.1
TwinCAT/BSD <14.1.2.0_153968<14.1.2.0 15396814.1.2.0_153968
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGDisable or restrict network access to the Beckhoff Device Manager web interface (port typically 80/443) to only authorized administrative workstations using firewall rules or network segmentation
HARDENINGRemove or disable all non-administrator user accounts from TwinCAT/BSD systems unless required for specific applications
HARDENINGRestrict physical and remote shell access to TwinCAT/BSD systems to authorized personnel only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT/BSD to version 14.1.2.0_153968 or later
HOTFIXUpdate IPC Diagnostics package to version 2.0.0.1 or later
View full CERT@VDE advisory
API: /api/v1/advisories/9fb5a063-28c6-495a-ae78-ee7fb754934b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.