PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack

Executive Summary

A security issue was discovered by Tenable Security Researchers and reported to Rockwell Automation. This  was discovered in the ThinManager® ThinServer™ software. Successful use of this security issue could allow a threat actor to perform remote code execution on the target or crash the software.

Affected Products

ThinManager ThinServer software	Versions
	6.x – 10.x
	11.0.0 – 11.0.5
	11.1.0 – 11.1.5
	11.2.0 – 11.2.6
	12.0.0 – 12.0.4
	12.1.0 – 12.1.5
	13.0.0-13.0.1

Security Issue Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A path traversal exists when processing a message. An unauthenticated remote attacker could use this security issue to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content. This could cause a remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

A path traversal exists when processing a message of type 8 in the affected versions. An unauthenticated remote attacker can use this security issue to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can use this security issue to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers should use the risk mitigations provided and combine these mitigations with the general security guidelines to use the strategies simultaneously.

CVE-2023-27855 CVE-2023-27856 CVE-2023-27857	First Known Affected	Fixed Versions
	6.x – 10.x	These versions are retired. Please update to the supported version.
	11.0.0 – 11.0.5	Update to v11.0.6
	11.1.0 – 11.1.5	Update to v11.1.6
	11.2.0 – 11.2.6	Update to v11.2.7
	12.0.0 – 12.0.4	Update to v12.0.5
	12.1.0 – 12.1.5	Update to v12.1.6
	13.0.0 – 13.0.1	Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:

• Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain your environment.

References

• QA41731 - ThinManager Upgrade Instructions
• CVE-2023-27855
• CVE-2023-27856
• CVE-2023-28757

Glossary

Heap-Based Buffer Over-Read Condition: a type of buffer overflow flaw where the execution occurs in the heap data area. An over-read condition occurs when a program, while reading data from a buffer, overruns the buffer’s boundary and reads adjacent memory

Path Traversal: allows attackers to access files and directories that are stored outside the intended directory