Back to overview

PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager

VDE-2022-007
Last update
05/22/2025 15:03
Published at
03/22/2022 08:43
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2022-007
CSAF Document
Download

Summary

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was fixed in SharpZipLib version 1.3.3.

Impact

SharpZipLib is used in PLCnext CLI for the SDK installation on Windows.
Via a specially crafted 'zip file' an attacker could take over a vulnerable PC, gain unauthorised access to sensitive data, or affect the availability of the system.

In FL Network Manager SharpZipLib is used for opening device snapshots.
A snapshot file contains, for example, information about the device status, the device configuration, an event log, etc. The snapshot file is a zip archive with the prefix "snapshot" and the extension "tar.gz". This zip file helps Phoenix Contact to solve problems with the device.
The client may choose arbitrary files used as a snapshot. If the snapshot is compromised it may lead to code execution described in the vulnerability section.

Affected Product(s)

Model no. Product name Affected versions
2702889 FL Network Manager <=6.0 FL Network Manager <=6.0
PLCnext Technology tool chain for Windows <2022.0 LTS PLCnext Technology tool chain for Windows <2022.0 LTS

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry '../evil.txt' may be extracted in the parent directory of 'destFolder'. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that '_baseDirectory' ends with slash. If the _baseDirectory is not slash terminated like '/home/user/dir' it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. '/home/user/dir.sh'. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.

References
cve.org | nvd.nist.gov

Remediation

PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller.

Please use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.

Revision History

Version Date Summary
1 03/22/2022 08:43 Initial revision.
2 05/22/2025 15:03 Fix: quotation mark