Headline
CVE-2022-40977: VDE-2022-033 | CERT@VDE
A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes (‘zip-slip’).
2022-11-24 10:00 (CET) VDE-2022-033
Pilz: PASvisu and PMI affected by multiple vulnerabilities
Share: Email | Twitter
**
Published
**
2022-11-24 10:00 (CET)
**
Last update
**
2022-11-17 15:32 (CET)
Vendor(s)
Pilz GmbH & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
-
PASvisu Software
< 1.12.0
265507
PMI v5xx
<= 1.3.58
265512
PMI v5xx
<= 1.3.58
266704
PMI v7xx
< 2.2.0
266707
PMI v7xx
< 2.2.0
266807
PMI v8xx
< 1.6.102
266812
PMI v8xx
< 1.6.102
266815
PMI v8xx
< 1.6.102
**
Summary
**
PASvisu is an HMI solution for Machine Visualization. It is available as a standalone software product, but it is also included in various models of the PMI product family. The PASvisu Server component contains multiple vulnerabilities which can be utilised to write arbitrary files, potentially leading to code execution.
**
Vulnerabilities
**
Last Update
Sept. 30, 2022, 8:41 a.m.
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary
This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.
Last Update
Nov. 10, 2022, 11:47 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
Summary
A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes (‘zip-slip’).
**
Impact
**
The PASvisu Server provides an integrated web server which is also used to send the configuration from the PASvisu Builder to the server component. When receiving and processing a configuration, it does not properly check pathnames. If the PASvisu Server is not properly protected by setting an administration password, the listed vulnerabilities can be exploited by an attacker to write arbitrary files. In the worst case scenario this could lead to remote code execution.
**
Solution
**
General Countermeasures
- Restrict HTTP and HTTPS traffic to the PASvisu Server by using a firewall or other measures on the network level.
Product-specific Countermeasures
- PASvisu software, PMI v7xx, PMI v8xx: Configure an administration password.
- PASvisu, PMI v7xx, PMI v8xx: Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/enINT/eshop) to check for a fixed version.
**
Reported by
**
Pilz would like to thank CERT@VDE for coordinating publication.