CVE-2023-0755: Out-of-bounds Read
First published: Thu Feb 23 2023(Updated: )
The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ge Digital Industrial Gateway Server | <=7.612 | |
| Ptc Kepware Server | <=6.12 | |
| Ptc Kepware Serverex | <=6.12 | |
| Ptc Thingworx .net-sdk | <=5.8.4.971 | |
| Ptc Thingworx Edge C-sdk | <=2.2.12.1052 | |
| Ptc Thingworx Edge Microserver | <=5.4.10.0 | |
| PTC ThingWorx Industrial Connectivity | ||
| Ptc Thingworx Kepware Edge | <=1.5 | |
| Rockwellautomation Kepserver Enterprise | <=6.12 | |
| PTC ThingWorx Edge C-SDK: v2.2.12.1052 or lower | ||
| PTC .NET-SDK: v5.8.4.971 or lower | ||
| PTC ThingWorx Edge MicroServer (EMS): v5.4.10.0 or lower | ||
| PTC KEPServerEX | ||
| PTC ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity): v6.12 or lower | ||
| PTC ThingWorx Industrial Connectivity | ||
| PTC ThingWorx Kepware Edge: v1.5 or lower | ||
| PTC Rockwell Automation KEPServer Enterprise: v6.12 or lower | ||
| PTC GE Digital Industrial Gateway Server: v7.612 or lower |
Remedy
PTC has released the following resolutions: Update the impacted product to the latest version: · ThingWorx Edge C-SDK: 3.0.0 or later. · ThingWorx Edge MicroServer (EMS): v5.4.11 or later. · .NET-SDK: v5.8.5 or later. For Kepware products, the vulnerability is mitigated if the ThingWorx Interface is not enabled. To use the ThingWorx Interface without the vulnerability, update to the latest version of the product: · Kepware KEPServerEX: v6.13 or later. · ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity): v6.13 or later. · ThingWorx Kepware Edge: v1.6 or later. The following products should be upgraded as indicated or in accordance with the applicable organization’s recommendations if the ThingWorx Interface is in use: · Rockwell Automation KEPServer Enterprise: v6.13 or later. · GE Digital Industrial Gateway Server: v7.613 or later. For more information see PTC’s Customer Support Article .
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-0755?
CVE-2023-0755 is a vulnerability that affects Ge Digital Industrial Gateway Server, Ptc Kepware Server, Ptc Kepware Serverex, Ptc Thingworx .net-sdk, Ptc Thingworx Edge C-sdk, Ptc Thingworx Edge Microserver, Ptc Thingworx Industrial Connectivity, Ptc Thingworx Kepware Edge, and Rockwellautomation Kepserver Enterprise. It allows an attacker to crash the server and remotely execute arbitrary code.
How severe is CVE-2023-0755?
CVE-2023-0755 has a severity rating of 9.8 (critical).
How can an attacker exploit CVE-2023-0755?
An attacker can exploit CVE-2023-0755 by sending specially crafted input to trigger an improper validation of array index, causing the server to crash and potentially execute arbitrary code.
What is the affected version of Ge Digital Industrial Gateway Server in CVE-2023-0755?
The affected version of Ge Digital Industrial Gateway Server in CVE-2023-0755 is up to and including version 7.612.
How can I mitigate the vulnerability in CVE-2023-0755?
To mitigate the vulnerability in CVE-2023-0755, it is recommended to apply the necessary security patches or updates provided by the vendor and follow their recommended mitigation steps.
- agent/type
- agent/remedy
- agent/weakness
- agent/author
- agent/description
- agent/first-publish-date
- agent/severity
- agent/references
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/trending
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- vendor/ge
- canonical/ge digital industrial gateway server
- version/ge digital industrial gateway server/7.612
- vendor/ptc
- canonical/ptc kepware server
- version/ptc kepware server/6.12
- canonical/ptc kepware serverex
- version/ptc kepware serverex/6.12
- canonical/ptc thingworx .net-sdk
- version/ptc thingworx .net-sdk/5.8.4.971
- canonical/ptc thingworx edge c-sdk
- version/ptc thingworx edge c-sdk/2.2.12.1052
- canonical/ptc thingworx edge microserver
- version/ptc thingworx edge microserver/5.4.10.0
- canonical/ptc thingworx industrial connectivity
- canonical/ptc thingworx kepware edge
- version/ptc thingworx kepware edge/1.5
- vendor/rockwellautomation
- canonical/rockwellautomation kepserver enterprise
- version/rockwellautomation kepserver enterprise/6.12
- canonical/ptc thingworx edge c-sdk: v2.2.12.1052 or lower
- canonical/ptc .net-sdk: v5.8.4.971 or lower
- canonical/ptc thingworx edge microserver (ems): v5.4.10.0 or lower
- canonical/ptc kepserverex
- canonical/ptc thingworx kepware server (formerly thingworx industrial connectivity): v6.12 or lower
- canonical/ptc thingworx kepware edge: v1.5 or lower
- canonical/ptc rockwell automation kepserver enterprise: v6.12 or lower
- canonical/ptc ge digital industrial gateway server: v7.612 or lower