WAGO M&M Software fdtCONTAINER (Update C)

Risk Summary

If an attacker can socially engineer a valid user into loading a manipulated project file, malicious code can be executed without notice.

CVEs (1)

Remediations

• Update the fdtCONTAINER component/fdtCONTAINER application to a version that provides a more secure deserialization of the project data. This version will still use a deprecated serialization technology but will fix the currently known attack vector and will be compatible with existing, non-manipulated project files.
• Update the fdtCONTAINER component/fdtCONTAINER application to a version (fdtCONTAINER component: 3.7 or newer, fdtCONTAINER application: 4.7 or newer) that provides a secure deserialization of the project data with an updated serialization technology. This will break the compatibility to existing, non-manipulated project files.
• The CERT@VDE advisory for M&M Software also recommends the following mitigation practices:
• Exchange project data only via secure exchange services.
• Use appropriate means to protect the project storage from unauthorized manipulation.
• Do not open project data from an unknown source.
• Reduce the user rights of the host application to the necessary minimum.
• Emerson has published a notification (EMR.RMT20004.Rev3) for this vulnerability in RTIS. RTIS users should review this notification for additional information specific to RTIS. CERT@VDE has published an advisory (VDE-2021-001) for this vulnerability in PEPPERL+FUCHS PACTware. CERT@VDE has published an advisory (VDE-2021-002) for this vulnerability in Weidmüller FDT/DTM Software with WI Manager. Mitsubishi Electric has published advisory 2020-020 concerning the vulnerability in MELSOFT FieldDeviceConfigurator.

Affected Vendors

Affected Products (11)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems