US-CERT has published an advisory on a vulnerability in Beckhoff TwinCAT software solution for programmable logic controllers. Successful exploitation of the vulnerability could allow a local attacker to escalate privileges on the target system.
According to a security advisory published by Beckhoff Automation, the vulnerability is due to the lack of proper validation of user-supplied pointer values by several kernel drivers.
Уязвимости подвержены следующие продукты:
- TwinCAT 3.1.build 4022.4 or prior;
- TwinCAT 2.11 R3 build 2259 or prior;
- TwinCAT 3.1 C++ / Matlab (TC1210/TC1220/TC1300/TC1320).
The newly identified security flaw was assigned the ID CVE-2018-7502 and CVSS v.3 base score of 7.8.
Beckhoff Automation recommends updating affected software to the latest versions and recompiling Matlab to close the vulnerability.