SRC-2023-0001 : PTC Thingworx Edge C-SDK twHeader_fromStream Integer Overflow Remote Code Execution Vulnerability
CVE ID: CVE-2023-0754
CVSS Score: 9.8, (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: PTC
Affected Products: ThingWorx Edge MicroServer (EMS), .NET-SDK, Kepware KEPServerEX, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, ThingWorx Kepware Edge
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PTC Thingworx Edge C-SDK. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the twHeader_fromStream function. An integer wrap occurs from attacker controlled data which results in an underallocated buffer and subsequent heap overflow in twStream_GetBytes. An attacker can leverage this vulnerability to cause a denial of service or execute code in the context of the application.
Vendor Response:
PTC has issued an update to correct this vulnerability. More details can be found at: https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01
Disclosure Timeline:
-
2022-03-29 – Sent to PTC PSIRT
-
2023-02-28 – Coordinated public release of advisory
Proof of Concept: /pocs/src-2023-0001.py.txt
Credit: This vulnerability was discovered by Chris Anastasio and Steven Seeley of Incite Team