SRC-2023-0002 : PTC Thingworx Edge C-SDK mulitpartMessageStoreEntry_Create Array Indexing Out-of-Bounds Write Remote Code Execution Vulnerability

CVE ID: CVE-2023-0755

CVSS Score: 9.8, (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: PTC

Affected Products: ThingWorx Edge MicroServer (EMS), .NET-SDK, Kepware KEPServerEX, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, ThingWorx Kepware Edge

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of PTC Thingworx Edge C-SDK. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the mulitpartMessageStoreEntry_Create function. An out-of-bounds write occurs when processing attacker controlled data. An attacker can leverage this vulnerability to cause a denial of service or execute code in the context of the application.

Vendor Response:

PTC has issued an update to correct this vulnerability. More details can be found at: https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01

Disclosure Timeline:

• 2022-03-29 – Sent to PTC PSIRT

• 2023-02-28 – Coordinated public release of advisory

Proof of Concept: /pocs/src-2023-0002.py.txt

Credit: This vulnerability was discovered by Chris Anastasio and Steven Seeley of Incite Team