CVE-2023-1617

Name of the Vulnerable Software and Affected Versions B&R VC4 versions 3.* through 3.96.7 B&R VC4 versions 4.0* through 4.06.7 B&R VC4 versions 4.1* through 4.16.3 B&R VC4 versions 4.2* through 4.26.8 B&R VC4 versions 4.3* through 4.34.6 B&R VC4 versions 4.4* through 4.45.1 B&R VC4 versions 4.5* through 4.45.3 B&R VC4 versions 4.7* through 4.72.9

Description This issue is related to an Improper Authentication vulnerability in the VNC-Server modules of B&R Industrial Automation B&R VC4. It may allow an unauthenticated network-based attacker to bypass the authentication mechanism of the VC4 visualization on affected devices. The impact of this issue depends on the functionality provided in the visualization.

Recommendations For B&R VC4 versions 3.* through 3.96.7, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.0* through 4.06.7, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.1* through 4.16.3, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.2* through 4.26.8, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.3* through 4.34.6, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.4* through 4.45.1, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.5* through 4.45.3, update to a version outside of this range to resolve the issue. For B&R VC4 versions 4.7* through 4.72.9, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the VNC-Server modules until a patch is available.