VDE-2020-048

Vulnerability from csaf_wagogmbhcokg - Published: 2021-01-14 14:57 - Updated: 2021-01-14 14:57
Summary
M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer
Notes
Summary: The fdtCONTAINER component is integrated into an application (host application). The fdtCONTAINER application is a specific host application which integrates the fdtCONTAINER component. The fdtCONTAINER component exchanges binary data blobs with such a host application. Typically, the host application saves these binary data blobs into a project storage (project file or a project database). To manipulate the data inside the project storage, the attacker needs write access to this project storage. Additionally, the manipulated project needs to be opened by the host application. It depends on the host application whether opening the project requires a user action or not. In fdtCONTAINER applications, the user has to open the manipulated project file manually. In the case of opening a stored project, the deserialization of the manipulated data can be exploited.
Impact: The engineering workstation, on which the host application is executed, might execute malicious code with the user rights of the host application.
Mitigation: - Exchange project data only via secure exchange services - Use appropriate means to protect the project storage from unauthorized manipulation - Do not open project data from an unknown source - Reduce the user rights of the host application to the necessary minimum
Remediation: M&M provides two technical solution options. Customers may choose between the following: --- ### Option 1: Update the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that offers **more secure deserialization** of project data. - This version still uses a **deprecated serialization technology**, but fixes the currently known attack vector. - It remains **compatible with existing, non-manipulated project files**. **Implemented in:** - `fdtCONTAINER component`: **3.6.20304.x – < 3.7** - `fdtCONTAINER application`: **4.6.20304.x – < 4.7** --- ### Option 2: Update the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that uses an **updated serialization technology** for deserialization. - This option ensures **secure handling of project data**. - **Incompatible** with existing, non-manipulated project files. **Implemented in:** - `fdtCONTAINER component`: **≥ 3.7** - `fdtCONTAINER application`: **≥ 4.7** --- The fixed version of `dtmINSPECTOR` will also apply **Option 2** and is planned to be available in **Q1 2021**.
CVE-2020-12525

M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.

7.3 (High)
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-502 - Deserialization of Untrusted Data
Mitigation - Exchange project data only via secure exchange services - Use appropriate means to protect the project storage from unauthorized manipulation - Do not open project data from an unknown source - Reduce the user rights of the host application to the necessary minimum
Vendor Fix M&M provides two technical solution options. Customers may choose between the following: --- ### Option 1: Update the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that offers **more secure deserialization** of project data. - This version still uses a **deprecated serialization technology**, but fixes the currently known attack vector. - It remains **compatible with existing, non-manipulated project files**. **Implemented in:** - `fdtCONTAINER component`: **3.6.20304.x – < 3.7** - `fdtCONTAINER application`: **4.6.20304.x – < 4.7** --- ### Option 2: Update the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that uses an **updated serialization technology** for deserialization. - This option ensures **secure handling of project data**. - **Incompatible** with existing, non-manipulated project files. **Implemented in:** - `fdtCONTAINER component`: **≥ 3.7** - `fdtCONTAINER application`: **≥ 4.7** --- The fixed version of `dtmINSPECTOR` will also apply **Option 2** and is planned to be available in **Q1 2021**.
References
Acknowledgments
CERTVDE certvde.com
customer of the fdtCONTAINER
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "customer of the fdtCONTAINER",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The fdtCONTAINER component is integrated into an application (host application). The fdtCONTAINER application is a specific host application which integrates the fdtCONTAINER component.\n\nThe fdtCONTAINER component exchanges binary data blobs with such a host application. Typically, the host application saves these binary data blobs into a project storage (project file or a project database).\n\nTo manipulate the data inside the project storage, the attacker needs write access to this project storage. Additionally, the manipulated project needs to be opened by the host application. It depends on the host application whether opening the project requires a user action or not. In\nfdtCONTAINER applications, the user has to open the manipulated project file manually.\n\nIn the case of opening a stored project, the deserialization of the manipulated data can be exploited.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The engineering workstation, on which the host application is executed, might execute malicious code with the user rights of the host application.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "- Exchange project data only via secure exchange services\n- Use appropriate means to protect the project storage from unauthorized manipulation\n- Do not open project data from an unknown source\n- Reduce the user rights of the host application to the necessary minimum",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "M\u0026M provides two technical solution options. Customers may choose between the following:\n\n---\n\n### Option 1:\n\nUpdate the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that offers **more secure deserialization** of project data.\n\n- This version still uses a **deprecated serialization technology**,  \n  but fixes the currently known attack vector.\n- It remains **compatible with existing, non-manipulated project files**.\n\n**Implemented in:**\n- `fdtCONTAINER component`: **3.6.20304.x \u2013 \u003c 3.7**\n- `fdtCONTAINER application`: **4.6.20304.x \u2013 \u003c 4.7**\n\n---\n\n### Option 2:\n\nUpdate the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that uses an **updated serialization technology** for deserialization.\n\n- This option ensures **secure handling of project data**.\n- **Incompatible** with existing, non-manipulated project files.\n\n**Implemented in:**\n- `fdtCONTAINER component`: **\u2265 3.7**\n- `fdtCONTAINER application`: **\u2265 4.7**\n\n---\n\nThe fixed version of `dtmINSPECTOR` will also apply **Option 2**  \nand is planned to be available in **Q1 2021**.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@wago.com",
      "name": "WAGO GmbH \u0026 Co. KG",
      "namespace": "https://www.wago.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "WAGO GmbH \u0026 Co. KG",
        "url": "https://www.wago.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for WAGO",
        "url": "https://certvde.com/en/advisories/vendor/wago/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-048: M\u0026M Software (WAGO): Deserialisation of untrusted data in fdtContainer - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2020-048/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-048: M\u0026M Software (WAGO): Deserialisation of untrusted data in fdtContainer - CSAF",
        "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2020-048.json"
      }
    ],
    "title": "M\u0026M Software (WAGO): Deserialisation of untrusted data in fdtContainer",
    "tracking": {
      "aliases": [
        "VDE-2020-048"
      ],
      "current_release_date": "2021-01-14T14:57:00.000Z",
      "generator": {
        "date": "2025-06-25T07:30:15.496Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.28"
        }
      },
      "id": "VDE-2020-048",
      "initial_release_date": "2021-01-14T14:57:00.000Z",
      "revision_history": [
        {
          "date": "2021-01-14T14:57:00.000Z",
          "number": "1.0.0",
          "summary": "initial revision"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version",
                    "name": "3",
                    "product": {
                      "name": "dtmINSPECTOR bBased on FDT 1.2.x 3",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "dtmINSPECTOR bBased on FDT 1.2.x"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c4.5",
                    "product": {
                      "name": "fdtCONTAINER application \u003c4.5",
                      "product_id": "CSAFPID-51002"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "4.5.0\u003c4.5.20304.x",
                    "product": {
                      "name": "fdtCONTAINER application 4.5.0\u003c4.5.20304.x",
                      "product_id": "CSAFPID-51003"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "4.6.0\u003c4.6.20304.x",
                    "product": {
                      "name": "fdtCONTAINER application 4.6.0\u003c4.6.20304.x",
                      "product_id": "CSAFPID-51004"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "4.7",
                    "product": {
                      "name": "fdtCONTAINER application 4.7",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "fdtCONTAINER application"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "3.5.0\u003c3.5.20304.x",
                    "product": {
                      "name": "fdtCONTAINER component 3.5.0\u003c3.5.20304.x",
                      "product_id": "CSAFPID-51005"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "3.6.0\u003c3.6.20304.x",
                    "product": {
                      "name": "fdtCONTAINER component 3.6.0\u003c3.6.20304.x",
                      "product_id": "CSAFPID-51006"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c3.5",
                    "product": {
                      "name": "fdtCONTAINER component \u003c3.5",
                      "product_id": "CSAFPID-51007"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "3.7",
                    "product": {
                      "name": "fdtCONTAINER component 3.7",
                      "product_id": "CSAFPID-52002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "fdtCONTAINER component"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "M\u0026M Software (WAGO)"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002",
          "CSAFPID-51003",
          "CSAFPID-51004",
          "CSAFPID-51005",
          "CSAFPID-51006",
          "CSAFPID-51007"
        ],
        "summary": "Affected Products"
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-52001",
          "CSAFPID-52002"
        ],
        "summary": "Fixed Products"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12525",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "M\u0026M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001",
          "CSAFPID-52002"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002",
          "CSAFPID-51003",
          "CSAFPID-51004",
          "CSAFPID-51005",
          "CSAFPID-51006",
          "CSAFPID-51007"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "- Exchange project data only via secure exchange services\n- Use appropriate means to protect the project storage from unauthorized manipulation\n- Do not open project data from an unknown source\n- Reduce the user rights of the host application to the necessary minimum",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "M\u0026M provides two technical solution options. Customers may choose between the following:\n\n---\n\n### Option 1:\n\nUpdate the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that offers **more secure deserialization** of project data.\n\n- This version still uses a **deprecated serialization technology**,  \n  but fixes the currently known attack vector.\n- It remains **compatible with existing, non-manipulated project files**.\n\n**Implemented in:**\n- `fdtCONTAINER component`: **3.6.20304.x \u2013 \u003c 3.7**\n- `fdtCONTAINER application`: **4.6.20304.x \u2013 \u003c 4.7**\n\n---\n\n### Option 2:\n\nUpdate the `fdtCONTAINER component` or `fdtCONTAINER application` to a version that uses an **updated serialization technology** for deserialization.\n\n- This option ensures **secure handling of project data**.\n- **Incompatible** with existing, non-manipulated project files.\n\n**Implemented in:**\n- `fdtCONTAINER component`: **\u2265 3.7**\n- `fdtCONTAINER application`: **\u2265 4.7**\n\n---\n\nThe fixed version of `dtmINSPECTOR` will also apply **Option 2**  \nand is planned to be available in **Q1 2021**.",
          "group_ids": [
            "CSAFGID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.3,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.3,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002",
            "CSAFPID-51003",
            "CSAFPID-51004",
            "CSAFPID-51005",
            "CSAFPID-51006",
            "CSAFPID-51007"
          ]
        }
      ],
      "title": "CVE-2020-12525"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.