CVE-2019-19101

Name of the Vulnerable Software and Affected Versions B&R Automation Studio versions 4.0.x through 4.7.2, except for versions 4.3.11SP and later, 4.4.9SP and later, 4.5.5SP and later, and 4.6.4 and later, and 4.7.2 and later. This can be simplified to: B&R Automation Studio versions prior to 4.3.11SP B&R Automation Studio versions prior to 4.4.9SP B&R Automation Studio versions prior to 4.5.5SP B&R Automation Studio versions prior to 4.6.4 B&R Automation Studio versions prior to 4.7.2

Description The issue is related to a missing secure communication definition and incomplete TLS validation in the upgrade service. This enables unauthenticated users to perform man-in-the-middle (MITM) attacks via the B&R upgrade server.

Recommendations For versions prior to 4.3.11SP, update to version 4.3.11SP or later. For versions prior to 4.4.9SP, update to version 4.4.9SP or later. For versions prior to 4.5.5SP, update to version 4.5.5SP or later. For versions prior to 4.6.4, update to version 4.6.4 or later. For versions prior to 4.7.2, update to version 4.7.2 or later.