CVE-2023-2917
published 2023-08-17CVE-2023-2917: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.84%
99.2th percentile
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and potentially gain remote code execution abilities.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager_thinserver | 11.0.0 – 11.0.6 | — |
| rockwellautomation | thinmanager_thinserver | 11.1.0 – 11.1.6 | — |
| rockwellautomation | thinmanager_thinserver | 11.2.0 – 11.2.7 | — |
| rockwellautomation | thinmanager_thinserver | 12.0.0 – 12.0.5 | — |
| rockwellautomation | thinmanager_thinserver | 12.1.0 – 12.1.6 | — |
| rockwellautomation | thinmanager_thinserver | 13.0.0 – 13.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
00 26 00 21 00 00 00 79 ... 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 5C
- →Monitor TCP port 2031 for unauthenticated inbound connections from unexpected sources; the vulnerable ThinServer synchronization service listens on this port by default. ↗
- →Detect message type 38 (SYNC_MSG_SEND_FILE_BACKGROUND) on TCP/2031 containing path traversal sequences (e.g., repeated '..\' bytes: 2E 2E 5C) in the file_name field, indicating an arbitrary file upload attempt. ↗
- →Detect message type 21 on TCP/2031 containing path traversal sequences (repeated '..\') in the files field, indicating an arbitrary file deletion attempt under SYSTEM context. ↗
- →Alert on new or modified executable files (e.g., .exe, .dll) written to system directories (e.g., Windows\System32) by ThinServer.exe, which may indicate successful exploitation and RCE staging. ↗
- →Detect message type 13 on TCP/2031 where the dsize field is set to 0x7FFFFFFF (bytes: 7F FF FF FF), which triggers the integer overflow in GetDataFromMsgBody and causes an access violation / DoS. ↗
- ·The vulnerability affects ThinManager ThinServer versions 11.0.0 through 13.1.0; the synchronization service runs as NT AUTHORITY\SYSTEM, maximizing impact of exploitation. ↗
- ·No authentication is required to send crafted synchronization protocol messages to TCP/2031, making this remotely exploitable by any unauthenticated attacker with network access. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation ThinManager ThinServer
cisa_ics·2023-08-22·CVSS 7.5
[HIGH] Rockwell Automation ThinManager ThinServer
ICS Advisory
##
Rockwell Automation ThinManager ThinServer
Release DateAugust 22, 2023
Alert CodeICSA-23-234-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: ThinManager ThinServer
- Vulnerabilities: Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to remotely delete arbitrary files with system privileges.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software:
- ThinManager ThinServer: Versions 11.0.0-11.0.6
- ThinManage
GHSA
GHSA-g747-9xrw-rcmj: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability
ghsa_unreviewed·2023-08-17
CVE-2023-2917 [CRITICAL] CWE-20 GHSA-g747-9xrw-rcmj: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and potentially gain remote code execution abilities.
No detection rules found.
2023-08-17
Published