This PACTware Vulnerability may allow any program execution.
PACTware Consortium e. V. is aware of a vulnerability in the PACTware software product.
Background for the security issue:
The user of the PACTware software can define different project views for his daily work with the PACTware software.
These "project views" can be stored in separate files. The vulneralibility is caused by the possibility to import existing project files provided by 3rd parties.
By loading and deserializing untrusted project files in PACTware 188.8.131.52 and lower versions, the vulnerability can be exploited for cyber security attacks.
Remote attackers may exploit the vulnerability to execute any program and tap information.
PACTware 5.0 versions: PACTware 184.108.40.206 and lower
PACTware 4.X and earlier versions are NOT affected!
A solution will provided with PACTware 6 in Q2 2021.
In the meantime, it is sufficient to follow the common handling of files from unknown or untrusted source.
- Exchange project data only via secure exchange services.
- Use appropriate means to protect storage from unauthorized manipulation.
- Do not open project data from unknown source.
Update to PACTware Version 6, when available.
Afterwards we still recommend handling files from unknown or untrusted source
Two new PACTware versions have been released: PACTware 220.127.116.11 and PACTware 4.1 SP6. The reason for this is that security problems with the password management have been solved. There is also a new version for PACTware 4, as some users still use this old version for special applications. In addition to the safety update, some minor bug fixes have been made for PACTware 5 and the function 'Clone Parameter' has been implemented for PACTware DC (included in PACTware 5).
The 'Clone Parameter' function provides a method for transferring parameters from one device to a device of the same type. In this way, recurring settings of several devices can be performed very efficiently.
Background for the security issues:
PACTware supports 'user roles' that restrict user access according to the FDT guideline. In the initial state of PACTware, no passwords are set and the user is assigned the 'Admin' user role, which does not contain any restrictions on access rights. If the user now activates the role access control, he can assign a password to each role, which then has individual access restrictions to the PACTware project.
In previous versions of PACTware, after logging in with administrator rights, it was possible to change the passwords of the individual roles without further confirmation with the administrator password. By entering his own passwords, a potential attacker had the possibility to prevent authorized users from using the software in two ways. On the one hand, in case no passwords have been assigned yet (see initial state above) or on the other hand, if he succeeds in accessing an already open PACTware with administrator rights, e.g. via an openly accessible workstation.
The safety problem is solved with updates of the versions PACTware 5 and PACTware 4. When assigning new passwords, it is now required to confirm with the admin password. In addition, the password is now also stored in the registry at a very high security level.
Compatibility with previous versions:
The user role assignments with the passwords from previous versions are also retained when upgrading with the new versions. However, further work with the access authorizations is then carried out with the increased security standards described above.
The corrected versions (PACTware ® 18.104.22.168 and PACTware ® 4.1 SP6) are availabe for download here: