Severity:
Critical,
High
Advisory ID:
PN1618
Date de publication:
March 21, 2023
Date de la dernière mise à jour:
March 21, 2023
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2023-27855,
CVE-2023-27857,
CVE-2023-27856,
CVE-2023-28757
Résumé
ThinManager Software Path Traversal and Denial-Of-Service Attack
Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 21, 2023 – Initial Version
Executive Summary
A vulnerability was discovered by Tenable Security Researchers and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to potentially perform remote code execution on the target or crash the software.
Customers using the products in scope are encouraged to evaluate the mitigations provided and apply them appropriately to their deployed products. See the additional details relating to the discovered vulnerabilities, including recommended countermeasures.
Customers using the products in scope are encouraged to evaluate the mitigations provided and apply them appropriately to their deployed products. See the additional details relating to the discovered vulnerabilities, including recommended countermeasures.
Affected Products
| ThinManager ThinServer software | Versions |
| 6.x – 10.x | |
| 11.0.0 – 11.0.5 | |
| 11.1.0 – 11.1.5 | |
| 11.2.0 – 11.2.6 | |
| 12.0.0 – 12.0.4 | |
| 12.1.0 – 12.1.5 | |
| 13.0.0-13.0.1 |
Vulnerability Details
CVE 2023-27855 ThinManager ThinServer Path Traversal Upload
In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content, potentially causing remote code execution.
CVE 2023-27856 ThinManager ThinServer Path Traversal Download
In affected versions, a path traversal exists when processing a message of type 8. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.
CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow
In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIn affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content, potentially causing remote code execution.
CVE 2023-27856 ThinManager ThinServer Path Traversal Download
CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NIn affected versions, a path traversal exists when processing a message of type 8. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.
CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow
CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HIn affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.
Risk Mitigation & User Action
Customers are directed towards the risk mitigations provided, and are encouraged, when possible, to combine these mitigations with the general security guidelines to employ multiple strategies simultaneously.
For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain the security posture of your environment.
| CVE-2023-27855 CVE-2023-27856 CVE-2023-27857 | First Known Affected | Fixed Versions |
| 6.x – 10.x | These versions are retired. Please update to the supported version. | |
| 11.0.0 – 11.0.5 | Update to v11.0.6 | |
| 11.1.0 – 11.1.5 | Update to v11.1.6 | |
| 11.2.0 – 11.2.6 | Update to v11.2.7 | |
| 12.0.0 – 12.0.4 | Update to v12.0.5 | |
| 12.1.0 – 12.1.5 | Update to v12.1.6 | |
| 13.0.0 – 13.0.1 | Update to v13.0.2 |
Additional Mitigations
If customers are unable to update to the patched version, the following mitigations should be put in place:- Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.
For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain the security posture of your environment.
References
Copyright ©2022 Rockwell Automation, Inc.