Beckhoff: Improper neutralization of input in IPC-Diagnostics-www package included in TwinCAT/BSD operating system

Plan Patch7.3VDE-2024-048Aug 27, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

TwinCAT/BSD-based products include the Beckhoff Device Manager UI web interface (enabled by default) which contains an input validation bypass vulnerability. A user with local access to the device can enter specially crafted inputs into certain pages to bypass validation and execute commands with administrative privileges. The vulnerability affects the IPC-Diagnostics-www package versions prior to 2.1.1.0 and TwinCAT/BSD versions prior to 14.1.2.0_153968.

What this means

What could happen

An attacker with local access to a TwinCAT/BSD device could bypass input validation in the web management interface and execute commands as administrator, allowing full control of the industrial controller including modification of control logic and process setpoints.

Who's at risk

Beckhoff TwinCAT/BSD-based industrial PCs (IPCs) running the Beckhoff Device Manager web interface, which is enabled by default. This affects any automation facility using Beckhoff controllers for process control, including water treatment, power distribution, HVAC systems, and manufacturing automation.

How it could be exploited

An attacker with local access to the Beckhoff Device Manager web interface enters specially crafted input into certain pages to bypass validation checks. This sends unfiltered commands to the system which are then executed with administrative privileges, giving the attacker full control of the IPC.

Prerequisites

Local access to the TwinCAT/BSD device
Access to the Beckhoff Device Manager web interface (enabled by default)
Non-administrator user account on the target system

Low attack complexityRequires local access onlyAffects systems with default configurationResults in administrative code executionImpacts safety and operational integrity

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

IPC-Diagnostics-www package <2.1.1.0<2.1.1.02.1.1.0

TwinCAT/BSD <14.1.2.0_153968<14.1.2.0 15396814.1.2.0_153968

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRemove or disable all non-administrator user accounts on the TwinCAT/BSD device

HARDENINGRestrict local console access to the device to authorized personnel only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IPC-Diagnostics-www package to version 2.1.1.0 or later

HOTFIXUpdate TwinCAT/BSD to version 14.1.2.0_153968 or later

HARDENINGAudit and remove any third-party applications running on the device that have not been formally security reviewed

CVEs (1)

CVE-2024-41174

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1db326e1-0c26-4ca8-880f-845712e82426