SRC-2023-0001 : PTC Thingworx Edge C-SDK twHeader_fromStream Integer Overflow Remote Code Execution Vulnerability

CVE ID: CVE-2023-0754

CVSS Score: 9.8, (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: PTC

Affected Products: ThingWorx Edge MicroServer (EMS), .NET-SDK, Kepware KEPServerEX, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, ThingWorx Kepware Edge

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of PTC Thingworx Edge C-SDK. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the twHeader_fromStream function. An integer wrap occurs from attacker controlled data which results in an underallocated buffer and subsequent heap overflow in twStream_GetBytes. An attacker can leverage this vulnerability to cause a denial of service or execute code in the context of the application.

Vendor Response:

PTC has issued an update to correct this vulnerability. More details can be found at: https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01

Disclosure Timeline:

• 2022-03-29 – Sent to PTC PSIRT

• 2023-02-28 – Coordinated public release of advisory

Proof of Concept: /pocs/src-2023-0001.py.txt

Credit: This vulnerability was discovered by Chris Anastasio and Steven Seeley of Incite Team