Share: Email | Twitter

ID

VDE-2022-007

Published

2022-03-22 08:43 (CET)

Last update

2022-03-22 08:43 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2702889 FL Network Manager 4.0 <= 6.0
- PLCnext Technology tool chain for Windows 2019.0 LTS < 2022.0 LTS

Summary

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was fixed in SharpZipLib version 1.3.3.

Vulnerabilities



Last Update
March 11, 2022, 7:40 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

Last Update
March 11, 2022, 7:40 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that `_baseDirectory` ends with slash. If the _baseDirectory is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.

Impact

SharpZipLib is used in PLCnext CLI for the SDK installation on Windows.
Via a specially crafted “zip file” an attacker could take over a vulnerable PC, gain unauthorised access to sensitive data, or affect the availability of the system.

In FL Network Manager SharpZipLib is used for opening device snapshots.
A snapshot file contains, for example, information about the device status, the device configuration, an event log, etc. The snapshot file is a zip archive with the prefix "snapshot" and the extension "tar.gz". This zip file helps Phoenix Contact to solve problems with the device.
The client may choose arbitrary files used as a snapshot. If the snapshot is compromised it may lead to code execution described in the vulnerability section.

Solution

Remediation

PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller.

Please use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.

Reported by

This vulnerability was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski). We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.