VDE-2024-041
Vulnerability from csaf_endresshauserag - Published: 2024-09-10 08:00 - Updated: 2024-09-10 08:00Summary
Endress+Hauser: Multiple products are vulnerable to code injection
Notes
Summary: Echo Curve Viewer is an utility used for offline visualization of previously recorded envelope curve data. Envelope curve records are exported from other Endress+Hauser software products like FieldCare as .curves files.
Echo Curve Viewer opens .curves files and displays their contents. The .curves files contain device- specific C# calculation scripts as .cs files, that are needed for the interpretation of certain curve record types.
Echo Curve Viewer loads .curves files and executes the contained C# code.
Impact: .curves files are not authenticated and universally trusted by the Echo Curve Viewer. Therefore, the contained C# code is executed without further authentication or validation.
Potential attack vector: manipulated .cs files with malicious C# code may be included in .curves file.
Remediation: - For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version >=6.00.00 from the Endress+Hauser Software Portal
- For bundled installations with FieldCare SFE500, download and install FieldCare SFE500 Package version >= 1.40.1 from the Endress+Hauser Software Portal external link
- For Field Xpert Devices, the required update is installed automatically during startup. This requires a
working internet connection and (under certain circumstances) a valid maintenance period and/or a
connection to the E+H Netilion Cloud. Please refer to the Field Xpert documentation for details regarding
the update mechanism.
An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context.
9.8 (Critical)
Vendor Fix
- For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version >=6.00.00 from the Endress+Hauser Software Portal
- For bundled installations with FieldCare SFE500, download and install FieldCare SFE500 Package version >= 1.40.1 from the Endress+Hauser Software Portal external link
- For Field Xpert Devices, the required update is installed automatically during startup. This requires a
working internet connection and (under certain circumstances) a valid maintenance period and/or a
connection to the E+H Netilion Cloud. Please refer to the Field Xpert documentation for details regarding
the update mechanism.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
Julian Renz
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"organization": "Julian Renz",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Echo Curve Viewer is an utility used for offline visualization of previously recorded envelope curve data. Envelope curve records are exported from other Endress+Hauser software products like FieldCare as .curves files.\n\nEcho Curve Viewer opens .curves files and displays their contents. The .curves files contain device- specific C# calculation scripts as .cs files, that are needed for the interpretation of certain curve record types.\n\nEcho Curve Viewer loads .curves files and executes the contained C# code. ",
"title": "Summary"
},
{
"category": "description",
"text": ".curves files are not authenticated and universally trusted by the Echo Curve Viewer. Therefore, the contained C# code is executed without further authentication or validation.\n\nPotential attack vector: manipulated .cs files with malicious C# code may be included in .curves file.",
"title": "Impact"
},
{
"category": "description",
"text": "- For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version \u003e=6.00.00 from the Endress+Hauser Software Portal\n- For bundled installations with FieldCare SFE500, download and install FieldCare SFE500 Package version \u003e= 1.40.1 from the Endress+Hauser Software Portal external link\n- For Field Xpert Devices, the required update is installed automatically during startup. This requires a\nworking internet connection and (under certain circumstances) a valid maintenance period and/or a\nconnection to the E+H Netilion Cloud. Please refer to the Field Xpert documentation for details regarding\nthe update mechanism.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2024-041: Endress+Hauser: Multiple products are vulnerable to code injection - HTML",
"url": "https://certvde.com/en/advisories/VDE-2024-041/"
},
{
"category": "self",
"summary": "VDE-2024-041: Endress+Hauser: Multiple products are vulnerable to code injection - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-041.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://www.endress.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser AG",
"url": "https://certvde.com/en/advisories/vendor/endress-hauser/"
}
],
"title": "Endress+Hauser: Multiple products are vulnerable to code injection",
"tracking": {
"aliases": [
"VDE-2024-041"
],
"current_release_date": "2024-09-10T08:00:00.000Z",
"generator": {
"date": "2025-05-05T08:33:01.341Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.24"
}
},
"id": "VDE-2024-041",
"initial_release_date": "2024-09-10T08:00:00.000Z",
"revision_history": [
{
"date": "2024-09-10T08:00:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=5.2.2.6",
"product": {
"name": "Echo Curve Viewer \u003c=5.2.2.6",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "6.00.00",
"product": {
"name": "Echo Curve Viewer 6.00.00",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "Echo Curve Viewer"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V1.40.00.7448",
"product": {
"name": "FieldCare SFE500 Package USB \u003c=V1.40.00.7448",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "1.40.1",
"product": {
"name": "FieldCare SFE500 Package USB 1.40.1",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "FieldCare SFE500 Package USB"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V1.40.00.7448",
"product": {
"name": "FieldCare SFE500 Package Web-Package \u003c=V1.40.00.7448",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "1.40.1",
"product": {
"name": "FieldCare SFE500 Package Web-Package 1.40.1",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "FieldCare SFE500 Package Web-Package"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03",
"product": {
"name": "Field Xpert SMT50 \u003c=SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03",
"product_id": "CSAFPID-51004"
}
}
],
"category": "product_name",
"name": "Field Xpert SMT50"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01",
"product": {
"name": "Field Xpert SMT70 \u003c=SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "Field Xpert SMT70"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=SMT77_Win10_SAC_22H2_v1.08.04_RC03_02",
"product": {
"name": "Field Xpert SMT77 \u003c=SMT77_Win10_SAC_22H2_v1.08.04_RC03_02",
"product_id": "CSAFPID-51006"
}
}
],
"category": "product_name",
"name": "Field Xpert SMT77"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V1.08.02-1.8.8684.34292",
"product": {
"name": "Field Xpert SMT79 \u003c=V1.08.02-1.8.8684.34292",
"product_id": "CSAFPID-51007"
}
}
],
"category": "product_name",
"name": "Field Xpert SMT79"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Vendor"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003"
],
"summary": "Fixed products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-6596",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. ",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "- For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version \u003e=6.00.00 from the Endress+Hauser Software Portal\n- For bundled installations with FieldCare SFE500, download and install FieldCare SFE500 Package version \u003e= 1.40.1 from the Endress+Hauser Software Portal external link\n- For Field Xpert Devices, the required update is installed automatically during startup. This requires a\nworking internet connection and (under certain circumstances) a valid maintenance period and/or a\nconnection to the E+H Netilion Cloud. Please refer to the Field Xpert documentation for details regarding\nthe update mechanism.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007"
]
}
],
"title": "CVE-2024-6596"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…