PTC Security Vulnerabilities

 
  • ThingWorx Platform Vulnerability, December 13, 2018
    Summary Directory Traversal on Zip Archive Usage
    Last Update December 13, 2018
    Versions Impacted 8.3.0 and all prior versions
    CVE # Link CVE Mitre
    CVSS Score 7.7
    Technical Support Link Directory Traversal on Zip Usage in ThingWorx Platform Prior to 8.3.0

     

    Context

    At PTC, we’re dedicated to working together with our customers and partners to develop and deploy secure IoT platforms. As part of PTC’s ongoing effort to improve product security and communicate clearly about any issues impacting applications dependent on the security of PTC’s products, this vulnerability disclosure is intended to inform users of the ThingWorx platform so that they may determine if further action is required.

    Summary

    The ThingWorx application is vulnerable to a directory traversal attack on zip files.

    Impact analysis: How to determine if you are vulnerable

    All application built on affected versions, including other PTC applications, may be vulnerable.

    ThingWorx version information

    Affected Versions Fix Version for This Issue Minimum Recommended Security Patch Level 
    All Versions Before 7.0.0 7.0.15+ 7.4.15+
    7.0.0 to 7.0.14 7.0.15+ 7.4.15+
    7.1.0 to 7.1.18 7.1.19+ 7.4.15+
    7.2.0 to 7.2.21 7.2.22+ 7.4.15+
    7.3.0 to 7.3.18 7.3.19+ 7.4.15+
    7.4.0 to 7.4.14 7.4.15+ 7.4.15+
    8.0.0 to 8.0.12 8.0.13+ 8.0.13+
    8.1.0 to 8.1.8 8.1.9+ 8.1.9+
    8.2.0 to 8.2.5 8.2.6+ 8.2.6+
    8.3.0 8.3.1+ 8.3.1+

     

    There may be technical or other limitations that prevent all fixes from being backported to all older versions. Generally, the latest version of ThingWorx is the most secure. If it is not possible to be on the latest version, PTC recommends the latest Service Pack for the installed version as above.

    Detailed account of the solution

    An attacker can utilize this vulnerability to read files that are normally considered out of bounds by the application. The methods to interact with zip files can be used to read or write arbitrary files.

    The fix validates the file path input in the CreateZipArchive service to assure directory traversal is constrained appropriately.

    Credit

    We would like to thank Raymond Doyle at Secureworks for finding and reporting this issue to us.