Phoenix Contact: PC Worx/-Express prone to improper input validation vulnerability

Vulnerability

PC Worx Automation Suite (including PC Worx and PC Worx Express) versions up to 1.88 contain an improper input validation vulnerability in the handling of project files. An attacker can craft a project file that exploits a path traversal (zip slip) weakness to unpack files outside the intended project directory. [1]

Exploitation

An attacker with the ability to deliver a manipulated project file to a user of PC Worx Automation Suite can exploit this vulnerability. The user must load the malicious project file into the software. No additional privileges are required beyond access to the software interface. [1]

Impact

Successful exploitation could allow an attacker to write arbitrary files to arbitrary locations on the workstation where the software is running. This could lead to compromise of availability, integrity, or confidentiality of the programming workstation. Note: Automated systems in operation programmed with these products are not affected. [1]

Mitigation

Phoenix Contact has released a fix in version 1.89 of PC Worx Automation Suite. Users should update to the latest version. No workarounds are provided. [1]