The affected products are vulnerable to an integer
overflow or wraparound, which could allow an attacker to crash the server and remotely
execute arbitrary code.
Description: CWE-190 Integer Overflow or Wraparound
Metrics
Version
Base score
Base severity
Vector
3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version:3.1
Base score:9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC ID
Description
Solutions
PTC has released the following resolutions:
Update the impacted product to the latest version:
·
ThingWorx Edge C-SDK: 3.0.0 or later.
·
ThingWorx Edge MicroServer (EMS): v5.4.11 or
later.
·
.NET-SDK: v5.8.5 or later.
For Kepware products, the vulnerability is mitigated if the
ThingWorx Interface is not enabled. To use the ThingWorx Interface
without the vulnerability, update to the latest version of the product:
·
Kepware KEPServerEX: v6.13 or later.
·
ThingWorx Kepware Server (formerly ThingWorx
Industrial Connectivity): v6.13 or later.
·
ThingWorx Kepware Edge: v1.6 or later.
The following products should be upgraded as indicated or in
accordance with the applicable organization’s recommendations if the ThingWorx
Interface is in use:
·
Rockwell Automation KEPServer Enterprise: v6.13
or later.
·
GE Digital Industrial Gateway Server: v7.613 or
later.
For
more information see PTC’s Customer Support Article
.
Configurations
Workarounds
Exploits
Credits
finder
Chris Anastasio and Steven Seeley of Incite Team reported these vulnerabilities to CISA.