CVE-2024-6596 (CVSS 9.8): Critical Code Injection Flaw Found in Endress+Hauser Products
CERT@VDE coordinated with Endress+Hauser, a well-known leader in industrial automation and instrumentation, has issued a security advisory for a critical vulnerability (CVE-2024-6596) affecting several of its products, including the Echo Curve Viewer and FieldCare software. This vulnerability has been assigned a CVSS score of 9.8, categorizing it as severe, and poses a significant risk to users.
The vulnerability stems from the way Endress+Hauser’s Echo Curve Viewer handles .curves files, which can contain device-specific C# calculation scripts. The software fails to properly validate or authenticate these scripts, allowing an attacker to embed malicious code within a .curves file. When the file is opened in Echo Curve Viewer, the malicious code is executed with the privileges of the user who opened the file.
This vulnerability has far-reaching implications, as it affects not only Echo Curve Viewer but also other Endress+Hauser products that utilize .curves files, including FieldCare SFE500 and various Field Xpert devices (including SMT50, SMT70, SMT77, and SMT79). The potential impact of a successful exploit is severe, as an attacker could gain full control of the affected system, steal sensitive data, or disrupt industrial processes.
A hacker would need to create a manipulated .curves file, inject malicious C# code into the corresponding .cs file, and then convince a target user to open this file in the Echo Curve Viewer. Once the file is opened, the attacker’s code is executed in the context of the user, allowing them to potentially gain control of the system, access sensitive information, or disrupt operations.
To mitigate the CVE-2024-6596 vulnerability, Endress+Hauser has released updates for the affected products:
- Echo Curve Viewer users should immediately update to version 6.00.00 or later, available on the Endress+Hauser Software Portal.
- For FieldCare SFE500 installations, updating to version 1.40.1 or later is required to address the vulnerability.
- For Field Xpert devices, users should ensure they have an active internet connection during startup, as updates are automatically installed when a valid maintenance period is detected. Additional details regarding the update process can be found in the product documentation.
For more information, visit the official Endress+Hauser security advisory at CERT@VDE.
