Article - CS399528

Security vulnerabilities identified in PTC Kepware Products

Modified: 29-Sep-2023   


Applies To

  • KEPServerEX 6.0.2107.0 to 6.14
  • ThingWorx Kepware Server 6.8 to 6.14
  • ThingWorx Industrial Connectivity 8.0 to 8.5

Description

  • CVSS 3.1 Score: 6.3 Medium
  • CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
  • CWE: UNCONTROLLED SEARCH PATH ELEMENT CWE-427
  • The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with malicious DLL and trick users into installing the trojanized software.
  • Common Vulnerabilities and Exposures: CVE-2023-29444 has been assigned to this vulnerability.
  • Researcher Attribution: Sam Hanson of Dragos reported these vulnerabilities to CISA.
 
  • CVSS 3.1 Score : 6.3 Medium
  • CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
  • CWE: UNCONTROLLED SEARCH PATH ELEMENT CWE-427
  • KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.
  • Common Vulnerabilities and Exposures: CVE-2023-29445 has been assigned to this vulnerability.
  • Researcher Attribution: Sam Hanson of Dragos reported these vulnerabilities to CISA.
 
  • CVSS 3.1 Score: 4.7 Medium
  • CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CWE: IMPROPER INPUT VALIDATION CWE-20
  • KEPServerEX is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, which could be cracked offline.
  • Common Vulnerabilities and Exposures: CVE-2023-29446 has been assigned to this vulnerability.
  • Researcher Attribution: Sam Hanson of Dragos reported these vulnerabilities to CISA.
 
  • CVSS 3.1 Score : 5.7 Medium
  • CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CWE: INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
  • The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a Man-in-the-Middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials.
  • Common Vulnerabilities and Exposures: CVE-2023-29447 has been assigned to this vulnerability.
  • Researcher Attribution: Sam Hanson of Dragos reported these vulnerabilities to CISA.
 
  • Note that PTC has no indication nor has been made aware that any of these vulnerabilities have or are being exploited.

 
This is a printer-friendly version of Article 399528 and may be out of date. For the latest version click CS399528