VDE-2022-044 | CERT@VDE

2022-11-24 10:00 (CET) VDE-2022-044

Pilz: Multiple products affected by ZipSlip

Share: Email | Twitter

ID

VDE-2022-044

Published

2022-11-24 10:00 (CET)

Last update

2022-11-17 15:32 (CET)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
-	PAScal	<= 1.9.1
-	PASconnect	< 1.4.0
-	PASmotion	< 1.4.1
-	PNOZmulti Configurator	< 11.2.0
-	PNOZmulti Configurator LTS	< 10.14.4

Summary

Several Pilz software products do not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.

CVE ID

CVE-2022-40976

Last Update:

Dec. 13, 2022, 10:34 a.m.

Severity

5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Weakness

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Summary

A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip').

Details

nvd.nist.gov

Impact

The affected software products are using ZIP archives to save and load project backups and libraries. When loading a ZIP archive, the contained pathnames are not checked properly for relative path components. If a user loads a manipulated ZIP archive the vulnerability can be used to place potentially malicious files outside of the application's working directory. Depending on the user’s privileges this can lead to code execution.

Solution

General Countermeasures

Do not use .zip or .par files from untrusted sources. If you need to load a file from an
untrusted source, please contact your local Pilz support.

Product-specific Countermeasures

Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version

Reported by

Pilz would like to thank CERT@VDE for coordinating publication.