26 March 2018

Serious vulnerability identified in Beckhoff TwinCAT PLC software solution

US-CERT has published an advisory on a vulnerability in Beckhoff TwinCAT software solution for programmable logic controllers. Successful exploitation of the vulnerability could allow a local attacker to escalate privileges on the target system.

According to a security advisory published by Beckhoff Automation, the vulnerability is due to the lack of proper validation of user-supplied pointer values by several kernel drivers.

Уязвимости подвержены следующие продукты:

  • TwinCAT 3.1.build 4022.4 or prior;
  • TwinCAT 2.11 R3 build 2259 or prior;
  • TwinCAT 3.1 C++ / Matlab (TC1210/TC1220/TC1300/TC1320).

The newly identified security flaw was assigned the ID CVE-2018-7502 and CVSS v.3 base score of 7.8.

Beckhoff Automation recommends updating affected software to the latest versions and recompiling Matlab to close the vulnerability.

Sources: US-CERT, Beckhoff