Beckhoff: Local authentication bypass in IPC-Diagnostics package included in TwinCAT/BSD operating system

Plan Patch7.8VDE-2024-045Aug 27, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

TwinCAT/BSD-based industrial PCs and IPC Diagnostics packages contain an authentication bypass in the Beckhoff Device Manager web interface. When accessed locally, any user with shell access can bypass authentication and gain full administrative privileges over the web management interface, regardless of their local user permissions. This allows an attacker to modify system settings, disable safety features, or alter process control parameters. The Device Manager interface is enabled by default and can also be accessed remotely. The vulnerability affects IPC Diagnostics versions prior to 2.0.0.1 and TwinCAT/BSD versions prior to 14.1.2.0_153968.

What this means

What could happen

A local user on a TwinCAT/BSD industrial PC can bypass authentication and gain full administrative control of the Beckhoff Device Manager web interface, potentially allowing them to alter system configuration, stop processes, or disable safety settings.

Who's at risk

Water utilities and electrical utilities running Beckhoff TwinCAT/BSD-based industrial PCs for process monitoring, control, or data acquisition (such as PLC controllers, RTUs, and HMI systems). Any facility using Beckhoff IPC devices with the Diagnostics package or Device Manager enabled is affected.

How it could be exploited

An attacker with local shell access to a TwinCAT/BSD system (via physical access, compromised account, or malware) can access the web-based management interface and exploit a flaw that grants administrative privileges without proper authentication, even if the attacker's local account has restricted permissions.

Prerequisites

Local shell access to the TwinCAT/BSD system (either directly or via a compromised low-privilege user account)
Physical or network access to the industrial PC running TwinCAT/BSD
IPC Diagnostics or Device Manager web interface must be enabled (default configuration)

Locally exploitable (requires local access)Low complexity exploitationLeads to full administrative controlDefault configuration is vulnerableAffects process control and automation systems

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

IPC Diagnostics package <2.0.0.1<2.0.0.12.0.0.1

TwinCAT/BSD <14.1.2.0_153968<14.1.2.0 15396814.1.2.0_153968

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGDisable or restrict network access to the Beckhoff Device Manager web interface (port typically 80/443) to only authorized administrative workstations using firewall rules or network segmentation

HARDENINGRemove or disable all non-administrator user accounts from TwinCAT/BSD systems unless required for specific applications

HARDENINGRestrict physical and remote shell access to TwinCAT/BSD systems to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT/BSD to version 14.1.2.0_153968 or later

HOTFIXUpdate IPC Diagnostics package to version 2.0.0.1 or later

CVEs (1)

CVE-2024-41173

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9fb5a063-28c6-495a-ae78-ee7fb754934b