Context
At PTC, we’re dedicated to working together with our customers and partners to develop and deploy secure IoT platforms. As part of PTC’s ongoing effort to improve product security and communicate clearly about any issues impacting applications dependent on the security of PTC’s products, this vulnerability disclosure is intended to inform users of the ThingWorx platform so that they may determine if further action is required.
Summary
The ThingWorx application is vulnerable to a directory traversal attack on zip files.
Impact analysis: How to determine if you are vulnerable
All application built on affected versions, including other PTC applications, may be vulnerable.
ThingWorx version information
| Affected Versions |
Fix Version for This Issue |
Minimum Recommended Security Patch Level |
| All Versions Before 7.0.0 |
7.0.15+ |
7.4.15+ |
| 7.0.0 to 7.0.14 |
7.0.15+ |
7.4.15+ |
| 7.1.0 to 7.1.18 |
7.1.19+ |
7.4.15+ |
| 7.2.0 to 7.2.21 |
7.2.22+ |
7.4.15+ |
| 7.3.0 to 7.3.18 |
7.3.19+ |
7.4.15+ |
| 7.4.0 to 7.4.14 |
7.4.15+ |
7.4.15+ |
| 8.0.0 to 8.0.12 |
8.0.13+ |
8.0.13+ |
| 8.1.0 to 8.1.8 |
8.1.9+ |
8.1.9+ |
| 8.2.0 to 8.2.5 |
8.2.6+ |
8.2.6+ |
| 8.3.0 |
8.3.1+ |
8.3.1+ |
There may be technical or other limitations that prevent all fixes from being backported to all older versions. Generally, the latest version of ThingWorx is the most secure. If it is not possible to be on the latest version, PTC recommends the latest Service Pack for the installed version as above.
Detailed account of the solution
An attacker can utilize this vulnerability to read files that are normally considered out of bounds by the application. The methods to interact with zip files can be used to read or write arbitrary files.
The fix validates the file path input in the CreateZipArchive service to assure directory traversal is constrained appropriately.
Credit
We would like to thank Jared McLaren and Raymond Doyle at Secureworks for finding and reporting this issue to us.