Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Flaw in PTC License Server Can Allow Lateral Movement in Industrial Organizations

PTC has patched a critical vulnerability in the Creo Elements/Direct License Server that can be exploited for unauthenticated command execution.

Product lifecycle management solutions provider PTC recently informed customers about the availability of a patch for a critical vulnerability affecting a license server for the company’s Creo Elements/Direct product.

Creo Elements/Direct is a direct modeling CAD software for 3D design creation.

Thomas Riedmaier of Siemens Energy discovered earlier this year that the license server for Creo Elements/Direct, specifically version 20.7.0.0 and prior, is affected by a critical missing authorization issue.

The researcher discovered that the license server exposes a web interface that can be abused by unauthenticated, remote attackers to execute arbitrary OS commands on the underlying server. The flaw is tracked as CVE-2024-6071 and it has been assigned a CVSS score of 10.

PTC and the US cybersecurity agency CISA published advisories for the vulnerability in late June. A patch is included in version 20.7.0.1 and later of the license server, which is available for products such as Creo Elements/Direct Drafting, Model/Drawing Mgr, Modeling, and WorkManager.

The vulnerability could enable lateral movement in industrial organizations. CISA noted in an industrial control systems (ICS) advisory that the affected product is used worldwide, including in the critical manufacturing sector. 

However, PTC pointed out that it “has no indication nor has been made aware that this vulnerability has or is being exploited”. 

Riedmaier told SecurityWeek that the impacted license server is typically not exposed to the internet so an attacker would need access to the targeted organization’s network in order to exploit the vulnerability.

Advertisement. Scroll to continue reading.

In the environment where he discovered the vulnerability, the PTC license server was installed on a Windows system, which the researcher was able to take over by exploiting the flaw. 

The compromised server hosted multiple services and was connected to multiple networks, allowing Riedmaier to obtain access to critical information and separated networks. 

However, what an attacker could achieve after exploiting the vulnerability depends on where the license server is deployed and the type of access it provides, which can be different in other organizations. 

Riedmaier commended PTC for its handling of the vulnerability, saying that the company “did an excellent job”, conducting its analysis, publishing a patch, and issuing an advisory within seven weeks. 

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com

Related: Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products

Related: Critical KEPServerEX Flaws Can Put Attackers in ‘Powerful Position’ in OT Networks

Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights