1. PACTware
  2. Service
  3. Cyber Security Messages and Information

Cyber Security Notification (29-05-2020)

Solution

Two new PACTware versions have been released: PACTware 5.0.5.31 and PACTware 4.1 SP6. The reason for this is that security problems with the password management have been solved. There is also a new version for PACTware 4, as some users still use this old version for special applications. In addition to the safety update, some minor bug fixes have been made for PACTware 5 and the function 'Clone Parameter' has been implemented for PACTware DC (included in PACTware 5).
The 'Clone Parameter' function provides a method for transferring parameters from one device to a device of the same type. In this way, recurring settings of several devices can be performed very efficiently.

Background for the security issues:
PACTware supports 'user roles' that restrict user access according to the FDT guideline. In the initial state of PACTware, no passwords are set and the user is assigned the 'Admin' user role, which does not contain any restrictions on access rights. If the user now activates the role access control, he can assign a password to each role, which then has individual access restrictions to the PACTware project.

Impact:
In previous versions of PACTware, after logging in with administrator rights, it was possible to change the passwords of the individual roles without further confirmation with the administrator password. By entering his own passwords, a potential attacker had the possibility to prevent authorized users from using the software in two ways. On the one hand, in case no passwords have been assigned yet (see initial state above) or on the other hand, if he succeeds in accessing an already open PACTware with administrator rights, e.g. via an openly accessible workstation.

Solution:
The safety problem is solved with updates of the versions PACTware 5 and PACTware 4. When assigning new passwords, it is now required to confirm with the admin password. In addition, the password is now also stored in the registry at a very high security level.

 Compatibility with previous versions:
The user role assignments with the passwords from previous versions are also retained when upgrading with the new versions. However, further work with the access authorizations is then carried out with the increased security standards described above.

The corrected versions (PACTware ® 5.0.5.31 and PACTware ® 4.1 SP6) are availabe for download here:

Download from Pepperl+Fuchs AG

Download from VEGA Grieshaber KG