Security Information

Vulnerabilities

What is a vulnerability?

A security vulnerability poses a threat to the security of a computer system. There is a risk that the vulnerability could be exploited, and the affected computer system compromised. Vulnerabilities arise from, among other things, insufficient protection of a computer from attacks from the network (for example, lack of a firewall or other security software), programming errors in the operating system, web browsers, or other software applications running on the system.

Reporting security issues

If you believe you have discovered a vulnerability in a Softing product or have a security incident to report please get in touch with us security.sia[at]softing[dot]com.

Known vulnerabilities

Description	Category	CVE	Date	Product	Fixed in Version
Endless loop in OpenSSL	High	CVE-2022-0778	15.03.2022	OPC UA C++ SDK	OPC UA C++ SDK – fixed: 5.70.1
Invalid XML element in the type dictionary	High	CVE-2021-42262	09.03.2022	OPC UA C++ SDK	OPC UA C++ SDK - fixed: 5.70 dataFEED OPC Suite - fixed: planned for 5.20 Secure Integration Server - fixed planned for 1.30
A malformed OPC/UA message abort packet makes the client crash with a null pointer dereference.	High	CVE-2021-42577	09.03.2022	OPC UA C++ SDK	OPC UA C++ SDK - fixed: 5.70 dataFEED OPC Suite - fixed: planned for 5.20 Secure Integration Server - fixed planned for 1.30
Possible memory corruption in BT controller	Medium	CVE-2021-35093	06.12.2021	mobiLink	N. A.
CWE 20: Improper Input Validation	High	CVE-2021-40872	08.11.2021	uaToolkit Embedded smartLink HW DP	1.40 planned for 1.19
CWE 415: Double Free	High	CVE-2021-40873	08.11.2021	uaToolkit Embedded OPC UA C++ SDK TH SCOPE dataFEED OPC Suite Secure Integration Server edgeConnector uaGates	1.40 5.66 N. A. 5.18 planned for 1.30 planned for 3.10 1.73
CWE 20: Improper Input Validation	Medium	CVE-2021-40871	08.11.2021	OPC UA C++ SDK TH SCOPE dataFEED OPC Suite Secure Integration Server	5.66 N. A. 5.18 planned for 1.30
Improper Restriction of Operations within the Bounds of a Memory Buffer	High	CVE-2021-32994	17.06.2021	OPC UA C++ SDK	5.65
Endless recursion in XML Structures	High	CVE: 2021-27432	17.02.2021	OPC UA .NET Standard SDK OPC UA .NET SDK	2.80 1.48
Privilege Elevation vulnerability	medium	CVE: 2020-29457	15.02.2021	OPC UA .NET Standard SDK	2.80
HEAP-BASED BUFFER OVERFLOW	High	CVE-2020-14524	28.07.2020	OPC Classic SDK	4.47.1
UNCONTROLLED RESOURCE CONSUMPTION	High	CVE-2020-14522	28.07.2020	OPC Classic SDK	4.47.1
Servers do not create sufficiently random numbers	High	CVE-2019-19135	10.03.2020	.NET Standard SDK	2.40
Servers do not create sufficiently random numbers	High	CVE-2019-19135	10.03.2020	dataFEED C++ SDK	5.62
Authenticated remote code execution possible	High	CVE-2019-15051	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.72.00.1996
Sudo privilege escalation	High	CVE-2019-11526	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.71.00.1225
Another authenticated remote code execution	High	CVE-2019-11527	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.72.00.1996
Default unix user permissons	High	CVE-2019-11528	10.10.2019	uaGate SI uaGate MB uaGate840D edgeGate	1.71.00.1225

Softing recommends always using the latest software/firmware version. These are in the Support and Downloads or the respective product page.

No representations are made as to the completeness or accuracy of the listing above. This information is provided without any guarantee or warranty of any kind, either explicit or tacit. We reserve the right to change or update the content of this website without notice at any time. The free update enables you to prevent or limit the consequences of damage resulting from security vulnerabilities. We cannot be held liable for any consequences arising from any omission in this regard. Security vulnerabilities cannot be removed in every case for products which have already reached their end-of-life cycle.

What does CVE mean?

It stands for Common Vulnerabilities and Exposures (CVE) and is an industry standard that aims to introduce a common naming convention for vulnerabilities and other security issues in computer systems. Multiple naming of the same threats by different companies and institutions is supplemented by a serial number (e.g. CVE-2006- 3086) to ensure clear identification of the vulnerability. This enables a smooth exchange of information between the various databases of individual manufacturers.

Name	Purpose	Lifetime	Type	Provider
CM-CookieConsent	Saves your consent to using cookies.	14 days	HTML	Website
menuState	Remebers the menu toggle state.	1 day	HTML	Website
PHPSESSID	Assigns your browser to a session on the server.	session	HTTP	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website
adhoc	Saves the status that you have read the Ad-hoc message.	session	HTTP	Website
CookieConsent	Obsolete: Saves your consent to using cookies.	1 year	HTML	Website

Name	Purpose	Lifetime	Type	Provider
wisepops	WisePops is a tool to serve pop up messages. It uses a cookie to prevent the same message being shown more than once. We do not capture personal data in the pop ups.	2 years	HTML	Wisepops
wisepops_visits	WisePops is a tool to serve pop up messages. It uses a cookie to prevent the same message being shown more than once. We do not capture personal data in the pop ups.	2 years	HTML	Wisepops
wisepops_session	WisePops is a tool to serve pop up messages. It uses a cookie to prevent the same message being shown more than once. We do not capture personal data in the pop ups.	session	HTML	Wisepops

Name	Purpose	Lifetime	Type	Provider
_ga	Used to distinguish users.	2 years	HTML	Google
_gid	Used to distinguish users.	1 day	HTML	Google
_gat	Used to throttle request rate.	1 minute	HTML	Google
visitor_idACCOUNTID	The visitor cookie includes a unique visitor ID and the unique identifier for your account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in your Pardot account. This cookie is set for visitors by the Pardot tracking code.	10 years	HTML	Pardot
pi_opt_inACCOUNTID	If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a true or false value when the visitor opts in or out of tracking. If a visitor opts in, the value is set to true, and the visitor is cookied and tracked. If the visitor opts out or ignores the opt-in banner, the opt-in cookie value is set to false. The visitor cookie is disabled, and the visitor is not tracked.	10 years	HTML	Pardot
visitor_idACCOUNTID-hash	The visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-hash stores the hash “855c3697d9979e78ac404c4ba2c66533”, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information.	10 years	HTML	Pardot
lpvACCOUNTID	This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view.	30 minutes	HTML	Pardot
pardot	A session cookie named pardot is set in your browser while you’re logged in to Pardot as a user or when a visitor accesses a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking.	10 years	HTML	Pardot
Prism_ACCOUNTID	Store and track interaction.	2 years	HTML	Active Campaign

Register once – for extended use

Security Information

Vulnerabilities

What is a vulnerability?

Reporting security issues

Known vulnerabilities

Softing recommends always using the latest software/firmware version. These are in the Support and Downloads or the respective product page.

What does CVE mean?

Contact

Navigation

Connect

Softing Industrial Support