Security Information

PSIRT – Product Security Incident Response Team

The Softing PSIRT is a central team at Softing tasked with managing the investigation and disclosure of security vulnerabilities. All reports about possible vulnerabilities or other security incidents in connection with Softing products can be forwarded to the Softing PSIRT. The Softing PSIRT coordinates and maintains communication with everyone involved, both internally and externally, so that it can provide an appropriate response to any security problems that are identified.

Why should you report vulnerabilities?

Disclosing vulnerabilities enables us to fix these vulnerabilities and inform customers using the products in question about the fix. This approach can help us to keep making our products more secure and above all support Softing customers in managing security risks.

If you think you have uncovered a security vulnerability in a Softing product, please report it by email to psirt[at]softing[dot]com.

Please include the following information with your report:

Contact information and availability
Affected product including model and version number
Classification of the vulnerability (buffer overflow, XSS, …)
Detailed description of the vulnerability (with verification if possible)
Effect of the vulnerability (if know)
Current level of awareness of the vulnerability (are there plans to disclose it or is there disclosure policy in place?)
(Company) affiliation of the reporter/finder (if reporter/finder is prepared to provide such information)
CVSS score (if known)

What will happen to your report?

The Softing PSIRT process is based on the FIRST framework and follows its four steps:
Discovery, Triage, Remediation, Disclosure.

Softing will ensure that the information is sent to a select group of designated Softing employees with experience in dealing with incidents of this type: the Softing Product Security Incident Response Team (PSIRT). Neither unauthorized employees nor external users will have access to the information you send.

In addition, Softing will ensure that the identity and contact details of the security expert are kept confidential and not published in any public statements (advisories and bulletins) unless explicitly requested by the security expert. The Softing PSIRT will investigate the reported vulnerability and contact you as soon as possible.

Stay up to date

The Softing PSIRT investigates all reports of security problems and publishes security advisories about validated security vulnerabilities that affect Softing products directly and require either a software update, software upgrade or another action by the customer. As part of ongoing efforts to support operators in addressing security risks and in ensuring the protected operation of systems, the Softing PSIRT publishes information that operators need to evaluate the ramifications of a security vulnerability.

Stay up to date with our security advisories

We publish information about vulnerabilities in Softing products and new or updated security advisories on our web pages.

Contact Softing PSIRT

psirt[at]softing[dot]com

Softing PSIRT public keys

Click here to download our PGP key

Fingerprint: 220C 4E9E 9A71 17BB C8E1 F863 0D5C 307C CACE DEDC

Languages: German or English
Transmission: preferably encrypted

Security Advisories

2022

ID	Title	CVE	CVSS Score	Products	Date	Download
SYT-2022-11	Multiple vulnerabilities in smartLink SW-HT		7.2	smartLink SW-HT	29.12.2022	HTML JSON
SYT-2022-10	Multiple vulnerabilities in uaToolkit Embedded and smartLink HW-DP	CVE-2022-44018 CVE-2022-45920	7.5	uaToolkit Embedded smartLink HW-DP	28.12.2022	HTML JSON
SYT-2022-9	Improper input validation vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector, edgeAggregator, uaGate and OPC Suite	CVE-2022-37453	7.5	OPC UA C++ SDK Secure Integration Server edgeConnector edgeAggregato uaGate OPC Suite	14.10.2022	HTML JSON
SYT-2022-8	Use after free vulnerability in OPC UA C++ SDK and OPC Suite	CVE-2022-39823	7.5	OPC UA C++ SDK OPC Suite	14.10.2022	HTML JSON
SYT-2022-7	NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator	CVE-2022-1748	7.5	OPC UA C++ SDK Secure Integration Server edgeConnector edgeAggregator	29.07.2022	HTML JSON
SYT-2022-6	Default credentials authentication bypass vulnerability in Secure Integration Server, edgeConnector and edgeAggregator	CVE-2022-2336	9.8	Secure Integration Server edgeConnector edgeAggregator	27.07.2022	HTML JSON
SYT-2022-5	Remote code execution vulnerability in configuration restore functionality of Secure Integration Server	CVE-2022-2334 CVE-2022-1373 CVE-2022-2338	7.2	Secure Integration Server	27.07.2022	HTML JSON
SYT-2022-4	Multiple denial of service vulnerabilities in FastCGI interface of Secure Integration Server	CVE-2022-1069 CVE-2022-2337 CVE-2022-2335 CVE-2022-2547	7.5	Secure Integration Server	27.07.2022	HTML JSON
SYT-2022-3	Multiple vulnerabilities in the OPC UA .NET Standard SDK and the OPC UA .NET SDK	CVE-2022-29862 CVE-2022-29863 CVE-2022-29864 CVE-2022-29865	7.5	OPC UA .NET Standard SDK OPC UA .NET SDK	22.07.2022	HTML JSON
SYT-2022-2	Vulnerabilities in the OpenSSL used in the OPC UA C++ SDK	CVE-2022-0778	7.5	OPC UA C++ SDK	15.03.2022	HTML JSON
SYT-2022-1	Multiple vulnerabilities in the OPC UA C++ SDK	CVE-2021-42262 CVE-2021-42577	7.5	OPC UA C++ SDK OPC Suite Secure Integration Server	09.03.2022	HTML JSON

2021

Description	Category	CVE	Date	Product	Fixed in Version
Possible memory corruption in BT controller	Medium	CVE-2021-35093	06.12.2021	mobiLink	N. A.
CWE 20: Improper Input Validation	High	CVE-2021-40872	08.11.2021	uaToolkit Embedded smartLink HW DP	1.40 planned for 1.19
CWE 415: Double Free	High	CVE-2021-40873	08.11.2021	uaToolkit Embedded OPC UA C++ SDK TH SCOPE dataFEED OPC Suite Secure Integration Server edgeConnector uaGates	1.40 5.66 N. A. 5.18 planned for 1.30 3.10 1.73
CWE 20: Improper Input Validation	Medium	CVE-2021-40871	08.11.2021	OPC UA C++ SDK TH SCOPE dataFEED OPC Suite Secure Integration Server	5.66 N. A. 5.18 planned for 1.30
Improper Restriction of Operations within the Bounds of a Memory Buffer	High	CVE-2021-32994	17.06.2021	OPC UA C++ SDK	5.65
Endless recursion in XML Structures	High	CVE: 2021-27432	17.02.2021	OPC UA .NET Standard SDK OPC UA .NET SDK	2.80 1.48
Privilege Elevation vulnerability	medium	CVE: 2020-29457	15.02.2021	OPC UA .NET Standard SDK	2.80

2020

Description	Category	CVE	Date	Product	Fixed in Version
HEAP-BASED BUFFER OVERFLOW	High	CVE-2020-14524	28.07.2020	OPC Classic SDK	4.47.1
UNCONTROLLED RESOURCE CONSUMPTION	High	CVE-2020-14522	28.07.2020	OPC Classic SDK	4.47.1
Servers do not create sufficiently random numbers	High	CVE-2019-19135	10.03.2020	.NET Standard SDK	2.40
Servers do not create sufficiently random numbers	High	CVE-2019-19135	10.03.2020	dataFEED C++ SDK	5.62

2019

Description	Category	CVE	Date	Product	Fixed in Version
Authenticated remote code execution possible	High	CVE-2019-15051	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.72.00.1996
Sudo privilege escalation	High	CVE-2019-11526	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.71.00.1225
Another authenticated remote code execution	High	CVE-2019-11527	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.72.00.1996
Default unix user permissons	High	CVE-2019-11528	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.71.00.1225

Softing recommends always using the latest software/firmware version. These are in the Support and Downloads or the respective product page.

No representations are made as to the completeness or accuracy of the listing above. This information is provided without any guarantee or warranty of any kind, either explicit or tacit. We reserve the right to change or update the content of this website without notice at any time. The free update enables you to prevent or limit the consequences of damage resulting from security vulnerabilities. We cannot be held liable for any consequences arising from any omission in this regard. Security vulnerabilities cannot be removed in every case for products which have already reached their end-of-life cycle.

What does CVE mean?

It stands for Common Vulnerabilities and Exposures (CVE) and is an industry standard that aims to introduce a common naming convention for vulnerabilities and other security issues in computer systems. Multiple naming of the same threats by different companies and institutions is supplemented by a serial number (e.g. CVE-2006- 3086) to ensure clear identification of the vulnerability. This enables a smooth exchange of information between the various databases of individual manufacturers.

Name	Purpose	Lifetime	Type	Provider
CM-CookieConsent	Saves your consent to using cookies.	14 days	HTML	Website
menuState	Remebers the menu toggle state.	1 day	HTML	Website
PHPSESSID	Assigns your browser to a session on the server.	session	HTTP	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website
adhoc	Saves the status that you have read the Ad-hoc message.	session	HTTP	Website
CookieConsent	Obsolete: Saves your consent to using cookies.	1 year	HTML	Website

Name	Purpose	Lifetime	Type	Provider
wisepops	WisePops is a tool to serve pop up messages. It uses a cookie to prevent the same message being shown more than once. We do not capture personal data in the pop ups.	2 years	HTML	Wisepops
wisepops_visits	WisePops is a tool to serve pop up messages. It uses a cookie to prevent the same message being shown more than once. We do not capture personal data in the pop ups.	2 years	HTML	Wisepops
wisepops_session	WisePops is a tool to serve pop up messages. It uses a cookie to prevent the same message being shown more than once. We do not capture personal data in the pop ups.	session	HTML	Wisepops

Name	Purpose	Lifetime	Type	Provider
_ga	Used to distinguish users.	2 years	HTML	Google
_gid	Used to distinguish users.	1 day	HTML	Google
_gat	Used to throttle request rate.	1 minute	HTML	Google
visitor_idACCOUNTID	The visitor cookie includes a unique visitor ID and the unique identifier for your account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in your Pardot account. This cookie is set for visitors by the Pardot tracking code.	10 years	HTML	Pardot
pi_opt_inACCOUNTID	If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a true or false value when the visitor opts in or out of tracking. If a visitor opts in, the value is set to true, and the visitor is cookied and tracked. If the visitor opts out or ignores the opt-in banner, the opt-in cookie value is set to false. The visitor cookie is disabled, and the visitor is not tracked.	10 years	HTML	Pardot
visitor_idACCOUNTID-hash	The visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-hash stores the hash “855c3697d9979e78ac404c4ba2c66533”, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information.	10 years	HTML	Pardot
lpvACCOUNTID	This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view.	30 minutes	HTML	Pardot
pardot	A session cookie named pardot is set in your browser while you’re logged in to Pardot as a user or when a visitor accesses a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking.	10 years	HTML	Pardot
Prism_ACCOUNTID	Store and track interaction.	2 years	HTML	Active Campaign

Register once – for extended use