CVE-2023-29444 - OpenCVE

An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ptc	Kepware Kepserverex Thingworx Industrial Connectivity Thingworx Kepware Server

Configuration 1 [-]

cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03
https://www.ptc.com/en/support/article/cs399528

History

No history.

MITRE

Status: PUBLISHED

Assigner: Dragos

Published: 2024-01-10T17:06:35.965Z

Updated: 2024-08-02T14:07:46.269Z

Reserved: 2023-04-06T17:45:40.441Z

Link: CVE-2023-29444

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-10T17:15:08.493

Modified: 2024-01-19T17:36:09.637

Link: CVE-2023-29444

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29444", "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef", "state": "PUBLISHED", "assignerShortName": "Dragos", "dateReserved": "2023-04-06T17:45:40.441Z", "datePublished": "2024-01-10T17:06:35.965Z", "dateUpdated": "2024-08-02T14:07:46.269Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Kepware KEPServerEX", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "0"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "ThingWorx Kepware Server", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "0"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "ThingWorx Industrial Connectivity", "vendor": "PTC", "versions": [{"lessThanOrEqual": "8.5", "status": "affected", "version": "8.0", "versionType": "0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Sam Hanson of Dragos"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution."}], "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef", "shortName": "Dragos", "dateUpdated": "2024-01-10T17:06:35.965Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"tags": ["vendor-advisory"], "url": "https://www.ptc.com/en/support/article/cs399528"}], "source": {"discovery": "EXTERNAL"}, "title": "Uncontrolled Search Path Element in PTC's Kepware KEPServerEX", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:46.269Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ptc.com/en/support/article/cs399528"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE266C92-959F-41CE-A8DA-DC3D336BC169", "versionEndIncluding": "6.14.263.0", "versionStartIncluding": "6.0.2107.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "99455409-195C-418C-A227-E9C67E70C2F3", "versionEndIncluding": "6.14.263.0", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*", "matchCriteriaId": "10F80877-E2FA-4800-B4EB-BC87E35A9441", "versionEndIncluding": "8.5", "versionStartIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de elemento de ruta de b\u00fasqueda no controlada (secuestro de DLL) que podr\u00eda permitir a un adversario autenticado localmente escalar privilegios a SYSTEM. Alternativamente, podr\u00edan alojar una versi\u00f3n con troyano del software y enga\u00f1ar a las v\u00edctimas para que descarguen e instalen su versi\u00f3n maliciosa para obtener acceso inicial y ejecuci\u00f3n del c\u00f3digo."}], "id": "CVE-2023-29444", "lastModified": "2024-01-19T17:36:09.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 5.9, "source": "ot-cert@dragos.com", "type": "Secondary"}]}, "published": "2024-01-10T17:15:08.493", "references": [{"source": "ot-cert@dragos.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"source": "ot-cert@dragos.com", "tags": ["Vendor Advisory"], "url": "https://www.ptc.com/en/support/article/cs399528"}], "sourceIdentifier": "ot-cert@dragos.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "ot-cert@dragos.com", "type": "Secondary"}]}