Share: Email | Twitter

ID

VDE-2022-033

Published

2022-11-24 10:00 (CET)

Last update

2022-11-17 15:32 (CET)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
- PASvisu Software < 1.12.0
265507 PMI v5xx <= 1.3.58
265512 PMI v5xx <= 1.3.58
266704 PMI v7xx < 2.2.0
266707 PMI v7xx < 2.2.0
266807 PMI v8xx < 1.6.102
266812 PMI v8xx < 1.6.102
266815 PMI v8xx < 1.6.102

Summary

PASvisu is an HMI solution for Machine Visualization. It is available as a standalone software product, but it is also included in various models of the PMI product family. The PASvisu Server component contains multiple vulnerabilities which can be utilised to write arbitrary files, potentially leading to code execution.

Vulnerabilities



Last Update
Sept. 30, 2022, 8:41 a.m.
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary

This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.

Last Update
Dec. 13, 2022, 10:34 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip').

Impact

The PASvisu Server provides an integrated web server which is also used to send the configuration from the PASvisu Builder to the server component. When receiving and processing a configuration, it does not properly check pathnames. If the PASvisu Server is not properly protected by setting an administration password, the listed vulnerabilities can be exploited by an attacker to write arbitrary files. In the worst case scenario this could lead to remote code execution.

Solution

General Countermeasures

  • Restrict HTTP and HTTPS traffic to the PASvisu Server by using a firewall or other measures on the network level.

Product-specific Countermeasures

  • PASvisu software, PMI v7xx, PMI v8xx: Configure an administration password.
  • PASvisu, PMI v7xx, PMI v8xx: Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/enINT/eshop) to check for a fixed version.

Reported by

Pilz would like to thank CERT@VDE for coordinating publication.