Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Flaw in PTC License Server Can Allow Lateral Movement in Industrial Organizations

PTC has patched a critical vulnerability in the Creo Elements/Direct License Server that can be exploited for unauthenticated command execution.

Product lifecycle management solutions provider PTC recently informed customers about the availability of a patch for a critical vulnerability affecting a license server for the company’s Creo Elements/Direct product.

Creo Elements/Direct is a direct modeling CAD software for 3D design creation.

Thomas Riedmaier of Siemens Energy discovered earlier this year that the license server for Creo Elements/Direct, specifically version 20.7.0.0 and prior, is affected by a critical missing authorization issue.

The researcher discovered that the license server exposes a web interface that can be abused by unauthenticated, remote attackers to execute arbitrary OS commands on the underlying server. The flaw is tracked as CVE-2024-6071 and it has been assigned a CVSS score of 10.

PTC and the US cybersecurity agency CISA published advisories for the vulnerability in late June. A patch is included in version 20.7.0.1 and later of the license server, which is available for products such as Creo Elements/Direct Drafting, Model/Drawing Mgr, Modeling, and WorkManager.

The vulnerability could enable lateral movement in industrial organizations. CISA noted in an industrial control systems (ICS) advisory that the affected product is used worldwide, including in the critical manufacturing sector. 

Advertisement. Scroll to continue reading.

However, PTC pointed out that it “has no indication nor has been made aware that this vulnerability has or is being exploited”. 

Riedmaier told SecurityWeek that the impacted license server is typically not exposed to the internet so an attacker would need access to the targeted organization’s network in order to exploit the vulnerability.

In the environment where he discovered the vulnerability, the PTC license server was installed on a Windows system, which the researcher was able to take over by exploiting the flaw. 

The compromised server hosted multiple services and was connected to multiple networks, allowing Riedmaier to obtain access to critical information and separated networks. 

However, what an attacker could achieve after exploiting the vulnerability depends on where the license server is deployed and the type of access it provides, which can be different in other organizations. 

Riedmaier commended PTC for its handling of the vulnerability, saying that the company “did an excellent job”, conducting its analysis, publishing a patch, and issuing an advisory within seven weeks. 

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com

Related: Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products

Related: Critical KEPServerEX Flaws Can Put Attackers in ‘Powerful Position’ in OT Networks

Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.