Share: Email | Twitter

ID

VDE-2022-045

Published

2022-11-24 10:00 (CET)

Last update

2022-11-17 15:32 (CET)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
- PAS4000 < 1.25.0

Summary

PAS4000 is the software platform for the Automation System PSS 4000. PAS 4000 does not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.

Vulnerabilities



Last Update
29. September 2022 15:45
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Last Update
10. November 2022 11:53
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip').

Impact

PAS 4000 uses ZIP archives to save and load project backups and libraries. Also, ZIP archives are used as a container for firmware updates. When loading a ZIP archive the contained pathnames are not checked properly for relative path components. If a user loads a manipulated ZIP archive, the vulnerability can be used to place potentially malicious files outside of the application's working directory. Depending on the user’s privileges this can lead to code execution.

Solution

General Countermeasures

  • Do not use .zip or .par files from untrusted sources. If you need to load a file from an
    untrusted source, please contact your local Pilz support.

Product-specific Countermeasures

  • Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version

Reported by

Pilz would like to thank CERT@VDE for coordinating publication.