heise PlusAbo
Anzeige

Zero-day allows code execution in WindChill and FlexPLM

The manufacturer warns and urges admins to urgently secure their instances with a workaround. A patch is still pending.

listen Print view
Highly distorted image of a finger on a keyboard, with a digital exclamation mark in the foreground

(Image: janews/Shutterstock.com)

3 min. read
Security
By
Contents

The software Windchill and FlexPLM contains a security vulnerability that allows code execution. The manufacturer urgently calls for security measures to be taken – a patch is not yet available at the moment.

Information about the vulnerability is scarce; neither a CVE identifier nor warnings from national CERTs (Computer Emergency Response Team) are available. However, the manufacturer and its partners appear to be concerned: they are assigning the highest score of 10.0 points on the CVSS scale and urging customers to react immediately.

Apparently, the error is hidden in the deserialization of the servlets /servlet/WindchillGW/com.ptc.wvs.server.publish.Publish and /servlet/WindchillAuthGW/com.ptc.wvs.server.publish.Publish. If these are accessible to an attacker, for example, because the Windchill server is reachable from the internet, they can inject and execute code.

Videos by heise

Many versions affected

According to the manufacturer PTC's extremely brief security notice in the Knowledge Base, the following versions are affected:

  • Windchill PDMLink 11.0 M030
  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink 11.2.1.0
  • Windchill PDMLink 12.0.2.0
  • Windchill PDMLink 13.0.2.0
  • Windchill PDMLink 13.1.0.0
  • Windchill PDMLink 13.1.1.0
  • Windchill PDMLink 13.1.2.0
  • Windchill PDMLink 13.1.3.0
  • Windchill PDMLink 12.1.2.0
  • FlexPLM 11.0 M030
  • FlexPLM 11.1 M020
  • FlexPLM 11.2.1.0
  • FlexPLM 12.0.0.0
  • FlexPLM 12.0.2.0
  • FlexPLM 12.0.3.0
  • FlexPLM 12.1.2.0
  • FlexPLM 12.1.3.0
  • FlexPLM 13.0.2.0
  • FlexPLM 13.0.3.0

Workaround: Restrict access via Apache configuration

Until a patch is available, admins should use a workaround. As described by the Windchill service provider EAC in a communication to its customers, this requires a configuration change to the Apache web server. According to EAC, this should be done immediately to neutralize the risk of an exploit.

  1. Create a new configuration file <APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf. (If a file with the prefix 90- or higher already exists, the new file should receive the highest number to be loaded as the last file)
  2. Incorporate the following directives into it:
    <LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">Require all denied</LocationMatch>
  3. Restart the web server using the known commands.

Apparently active attacks – admins should keep their eyes open

Although the manufacturer claims to have no knowledge of successful attacks, service provider EAC mentions some "Indicators of Compromise" (IOC). This means that attacks against Windchill or FlexPLM servers must have already occurred. The IOCs indicate that after a successful exploit, attackers upload files with malicious code to the server, typically web shells. Instances operated by PTC itself are already protected.

Insecure deserialization is a known entry point for exploits and is popular with cybercriminals and state-sponsored attackers. Just a few days ago, the US cybersecurity agency added another deserialization vulnerability in Microsoft SharePoint to its database of Known Exploited Vulnerabilities.

(cku)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten