VDE-2022-007

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2022-03-22 07:43 - Updated: 2025-05-22 13:03
Summary
PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager
Notes
Summary: SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was fixed in SharpZipLib version 1.3.3.
Impact: SharpZipLib is used in PLCnext CLI for the SDK installation on Windows. Via a specially crafted 'zip file' an attacker could take over a vulnerable PC, gain unauthorised access to sensitive data, or affect the availability of the system. In FL Network Manager SharpZipLib is used for opening device snapshots. A snapshot file contains, for example, information about the device status, the device configuration, an event log, etc. The snapshot file is a zip archive with the prefix "snapshot" and the extension "tar.gz". This zip file helps Phoenix Contact to solve problems with the device. The client may choose arbitrary files used as a snapshot. If the snapshot is compromised it may lead to code execution described in the vulnerability section.
Remediation: PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller. Please use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.
CVE-2021-32840

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry '../evil.txt' may be extracted in the parent directory of 'destFolder'. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vendor Fix PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller. Please use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.
CVE-2021-32842

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that '_baseDirectory' ends with slash. If the _baseDirectory is not slash terminated like '/home/user/dir' it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. '/home/user/dir.sh'. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.

5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vendor Fix PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller. Please use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.
References
Acknowledgments
CERT@VDE certvde.com
GHSL Jaroslav Lobačevski
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Jaroslav Loba\u010devski"
        ],
        "organization": "GHSL",
        "summary": "discovering and reporting."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was fixed in SharpZipLib version 1.3.3.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "SharpZipLib is used in PLCnext CLI for the SDK installation on Windows.\nVia a specially crafted \u0027zip file\u0027 an attacker could take over a vulnerable PC, gain unauthorised access to sensitive data, or affect the availability of the system.\n\nIn FL Network Manager SharpZipLib is used for opening device snapshots.\nA snapshot file contains, for example, information about the device status, the device configuration, an event log, etc. The snapshot file is a zip archive with the prefix \"snapshot\" and the extension \"tar.gz\". This zip file helps Phoenix Contact to solve problems with the device.\nThe client may choose arbitrary files used as a snapshot. If the snapshot is compromised it may lead to code execution described in the vulnerability section.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller.\n\nPlease use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "PHOENIX CONTACT advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-007: PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-007"
      },
      {
        "category": "self",
        "summary": "VDE-2022-007: PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-007.json"
      }
    ],
    "title": "PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager",
    "tracking": {
      "aliases": [
        "VDE-2022-007"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-03-24T09:50:10.592Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.21"
        }
      },
      "id": "VDE-2022-007",
      "initial_release_date": "2022-03-22T07:43:00.000Z",
      "revision_history": [
        {
          "date": "2022-03-22T07:43:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=6.0",
                    "product": {
                      "name": "FL Network Manager \u003c=6.0",
                      "product_id": "CSAFPID-51001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2702889"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c4.0",
                    "product": {
                      "name": "FL Network Manager \u003c4.0",
                      "product_id": "CSAFPID-52001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2702889"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "6.0.1",
                    "product": {
                      "name": "FL Network Manager 6.0.1",
                      "product_id": "CSAFPID-52002",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2702889"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "FL Network Manager"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c2022.0 LTS",
                    "product": {
                      "name": "PLCnext Technology tool chain for Windows \u003c2022.0 LTS",
                      "product_id": "CSAFPID-51002"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "\u003c2019.0 LTS",
                    "product": {
                      "name": "PHOENIX CONTACT Software PLCnext Technology tool chain for Windows \u003c2019.0 LTS",
                      "product_id": "CSAFPID-52003"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "2022.0 LTS ",
                    "product": {
                      "name": "PLCnext Technology tool chain for Windows 2022.0 LTS ",
                      "product_id": "CSAFPID-52004"
                    }
                  }
                ],
                "category": "product_name",
                "name": "PLCnext Technology tool chain for Windows"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "PHOENIX CONTACT"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "summary": "Affected Products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-52001",
          "CSAFPID-52003"
        ],
        "summary": "Not Affected Products"
      },
      {
        "group_id": "CSAFGID-0003",
        "product_ids": [
          "CSAFPID-52002",
          "CSAFPID-52004"
        ],
        "summary": "Fixed Products."
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-32840",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry \u0027../evil.txt\u0027 may be extracted in the parent directory of \u0027destFolder\u0027. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52002",
          "CSAFPID-52004"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "known_not_affected": [
          "CSAFPID-52001",
          "CSAFPID-52003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller.\n\nPlease use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2021-32840"
    },
    {
      "cve": "CVE-2021-32842",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that \u0027_baseDirectory\u0027 ends with slash. If the _baseDirectory is not slash terminated like \u0027/home/user/dir\u0027 it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. \u0027/home/user/dir.sh\u0027. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52002",
          "CSAFPID-52004"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "known_not_affected": [
          "CSAFPID-52001",
          "CSAFPID-52003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "PHOENIX CONTACT strongly recommends updating the PLCnext Technology tool chain for Windows to Version 2022.0 LTS or higher, which fixes this vulnerability and can be downloaded from the download area (Software) of your PLCnext Controller.\n\nPlease use the Device Snapshots only from safe sources and ensure data integrity or update the FL Network Manager to Version 6.0.1 or higher.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2021-32842"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.