B&R Automation Runtime CSV Formula Injection Vulnerability in System Diagnostics Manager

A vulnerability allowing improper neutralization of formula elements in a CSV file has been identified in the System Diagnostics Manager (SDM) component of B&R Automation Runtime, versions prior to 6.4. This vulnerability enables remote attackers to inject formula data into generated CSV files. Exploitation requires the attacker to create a malicious link that the user must click, after which the resulting CSV file must be manually opened.

Impact

Exploitation of this vulnerability allows for the injection of malicious formula data into CSV files, which could be used to execute arbitrary commands or scripts when the file is opened in a vulnerable application, such as Microsoft Excel.

Remediation

Users are advised to update to B&R Automation Runtime version 6.4 or later, where this vulnerability has been addressed. For those who use the System Diagnostics Manager, B&R recommends applying the update based on risk assessment at the earliest convenience.