Endress+Hauser Echo Curve Viewer Code Injection via Curve Files (CVE-2024-6596)

Key Information Vulnerability Description Vulnerability ID: VDE-2024-041 Release Date: September 10, 2024, 10:00 (CEST) Update Date: September 10, 2024, 09:56 (CEST) Vendor: Endress+Hauser AG Affected Products: - Echo Curve Viewer - FieldCare SFE500 Package USB - FieldCare SFE500 Package Web-Package - Field Xpert SMT50 - Field Xpert SMT70 - Field Xpert SMT77 - Field Xpert SMT79 Vulnerability Details CVE ID: CVE-2024-6596 Severity: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H) Weakness: Improper Control of Generation of Code (Code Injection) (CWE-94) Description: Unauthorized remote attackers can execute malicious Ccode embedded within curve files, running commands in the context of the user. Impact Curve files are not validated by Echo Curve Viewer, allowing embedded Ccode to execute without further verification. Possible attack vector: Manipulated .cs files containing malicious Ccode, potentially embedded within curve files. Solution For standalone Echo Curve Viewer installations, download and install Echo Curve Viewer version >= 6.00.00. For bundled FieldCare SFE500 installations, download and install FieldCare SFE500 Package version >= 1.40.1. For Field Xpert devices, updates will be installed automatically at startup. This requires an active internet connection, (in some cases) a valid maintenance period, and connectivity to the E+H Netilion Cloud. Refer to Field Xpert documentation for detailed information on the update mechanism. Reporting Reported by CERT@VDE in coordination with Endress+Hauser. Vulnerability reported by Julian Renz from Endress+Hauser.

Goal Reached Thanks to every supporter — we hit 100%!

Endress+Hauser Echo Curve Viewer Code Injection via Curve Files (CVE-2024-6596)