(AV24-105), the Canadian Centre for Cyber Security alerts users and administrators about a vulnerability affecting B&R Automation Studio versions before 4.6 and B&R Technology Guarding versions before 1.4.0. Published on February 22, 2024, the advisory underscores the urgency of the situation, urging immediate actions to mitigate potential security risks. The vulnerability lies in the B&R web service interface, specifically in the Upgrade Service, where an insecure communication channel enables unauthenticated attackers to intercept network traffic, potentially leading to the insertion and execution of arbitrary code.
The severity assessment, conducted using the FIRST Common Vulnerability Scoring System (CVSS) v3.11, categorizes the vulnerability’s impact. B&R has released a fix for the web service interface, and B&R Automation Studio versions equal to or above 4.6 and B&R Technology Guarding versions equal to or above 1.4.0 are recommended to address the issue. The support for the insecure communication channel will be disabled on February 29, 2024. Users are advised to follow the guidance provided in the user manual for installing updates and identifying the installed product version.
