B&R Automation Studio

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to delete arbitrary files from this system, fetch arbitrary files, or perform arbitrary write operations.

CVEs (3)

Remediations

• B&R recommends applying product updates at the earliest convenience. Users of Automation Studio Versions 4.0.x, 4.1.x, and 4.2.x are advised to upgrade to a newer version of Automation Studio.
• The upgrade service now operates with reduced privileges. Additionally, the deletion process is restricted to Automation Studio downloaded files and directories.
• B&Rs upgrade server now serves HTTPS links in the configuration files. Additionally, Microsoft .NET Framework certificate checks are now being used in the Automation Studio upgrade service.
• Automation Studio 4.3 and later should be switched from the SharpZipLib to the .NET Framework, provided native ZIP archive implementation. For these versions the issue is not reproducible. For prior versions of Automation Studio, it is recommended to update the installation.
• Access to zip archives is controlled and access of the zip archive is limited to trusted parties only.
• Checksums may be used to detect tampering of zip archives, e.g., transferring them between different contexts.
• It is possible to manually adjust the permissions of the Automation Studio upgrade. Access to the Automation Studio installation and the device it is used on should be restricted.
• Users may approach their local B&R service organization in case of questions.
• For more information related to these vulnerabilities, please refer to the B&R advisory.
• For additional information and support, please contact B&R service.

Affected Vendors

Affected Products (9)

Affected Sectors

Chemical, Critical Manufacturing, Energy