Multiple XSS Vulnerabilities in B&R Systems Diagnostics Manager

Title

Multiple XSS Vulnerabilities

Product

B&R Systems Diagnostics Manager

Vulnerable Version

>=3.00 and <=C4.93

Fixed Version

>=D4.93

CVE Number

CVE-2022-4286

Impact

medium

Found

28.10.2022

By

S. Robertz, G. Hechenberger (Office Vienna) | SEC Consult Vulnerability Lab

Multiple cross site scripting (XSS) vulnerabilities were identified in the B&R System Diagnostics Manager (SDM) web application. These vulnerabilities can be used by an attacker in order to execute malicious actions on the PLC.

Vendor description

"Our slogan is our mission. The pursuit of Perfection in Automation has inspired and guided B&R for over 40 years. To us, perfection means more than developing the best solutions in industrial automation. It also means developing the best relationships – with our customers and partners as well as our employees and suppliers.

Keen foresight and entrepreneurial courage helped us rise quickly into the ranks of top global players in industrial automation. An intuitive sense of market dynamics and emerging trends has established us as a pioneer, leading the way with the most innovative technology on the market.

Our role as the ABB Group's global center for machine and factory automation strengthens our position of leadership and adds new momentum to our impressive record of sustained growth."

Source: https://www.br-automation.com/en/about-us/

Business recommendation

The vendor provides a software update which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)

An attacker can execute arbitrary JavaScript code in the context of the victim's session, thus perform all actions, exfiltrate information, etc. In order to exploit this vulnerability the attacker will have to trick the user into visiting a manipulated URL.

Proof of concept

1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)

The following URL has to be visited by the victim in order to execute arbitrary JavaScript code.

http:// <PLC-IP>/sdm/cgiFileLoop.cgi?service=javascript:alert(document.domain);%2f%2f&type=512&scope=%3Cfile:///etc/passwd%3E&module=Snapshot&option=3

A very similar vulnerability can be found at another endpoint of the System Diagnostic Manager (SDM).

http:// <PLC-IP>/sdm/svg.cgi?type=cpuusage&index=1%3Cscript%3Ealert(document.domain)%3C/script%3E

Vulnerable / tested versions

The following device and firmware version has been tested:

  • B&R X20CP3687X SwModuleVersion 186

According to the vendor, all B&R Automation Runtime (AR) versions >=3.00 and <=C4.93 are affected.

Vendor contact timeline

2022-11-21 Contacting vendor through cybersecurity@br-automation.com. Sent encrypted advisory.
2022-11-22 Vendor requests B&R Automation Runtime version.
2022-12-01 Vendor confirms vulnerability. Will be fixed with next release. Asking for timeline.
2022-12-13 Advisory and patch will be published on 2023-02-10. Vendor offers to share the advisory for review purposes.
2023-01-25 Reviewing vendor advisory, receiving CVE + affected/fixed version numbers
2023-02-10 Vendor provides the patch.
2023-02-14 Coordinated release of security advisory.

Solution

The vendor supplies a patch, which should be installed immediately.

The following version mitigates the identified XSS issues:

  • B&R Automation Runtime version >=D4.93

The vendor has published the following security advisory:
https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf

Workaround

Administrators can deactivate the System Diagnostics Manager in case it is not needed.

Advisory URL

sec-consult.com/vulnerability-lab/