0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PTC ThingWorx Password Disclosure / Cross Site Scripting Vulnerabilities
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
======================================================================= title: Password disclosure vulnerability & XSS product: PTC ThingWorx vulnerable version: 6.5-7.4, 8.0.x, 8.1.x, 8.2.x fixed version: see Solution section CVE number: CVE-2018-17216, CVE-2018-17217, CVE-2018-17218 impact: critical homepage: https://www.ptc.com found: 2018-03-13 by: M. Tomaselli (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "ThingWorx is more than an IoT platform; it provides the functionality, flexibility and scalability that businesses need to drive industrial innovationaincluding the ability to source, contextualize and synthesize data while orchestrating processes and delivering powerful web, mobile and AR experiences." Source: https://www.ptc.com/en/thingworx8 Business recommendation: ------------------------ ThingWorx allows to configure Things to communicate with other services over several protocols (e.g. LDAP integration via a DirectoryServices Thing). In order to communicate with services that require authentification, ThingWorx provides functionality to associate credentials to a Thing. During a brief audit it was noticed that ThingWorx Composer leaks the following sensitive data: 1) The PBKDF2WithHmac512 password hash of a user Thing 2) The AES encrypted password of several Things containing password attributes Furthermore, the password used for encryption is hard-coded and thus identical along all installations. Besides the above mentioned vulnerabilities a reflected cross-site scripting vulnerability was identified in the ThingWorx SQUEAL search function. The vendor provides a patch which should be installed immediately. It is recommended to perform further thorough security audits as the product may be affected by other potential security vulnerabilities. Vulnerability overview/description: ----------------------------------- 1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216) ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application users when doing exports with an administrative account. This enables an attacker to conduct offline brute-force or dictionary attacks against the obtained password hashes. 2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords (CVE-2018-17217) A critical information disclosure vulnerability leaks the AES encrypted passwords of services configured within ThingWorx. Due to a hard-coded master password in the SecureData class, an attacker is able to decrypt the obtained passwords which grants him access to other services. The AES encrypted password gets disclosed in the server response when a user/attacker visits a Thing that contains credentials. 3) Reflected Cross-Site Scripting (CVE-2018-17218) The JavaScript part of the ThingWorx SQUEAL search functionality (searchExpression parameter) which is responsible for parsing the obtained JSON response fails to properly sanitize user supplied input. If the victim views attacker-prepared content (e.g. on a website or in an HTML email) an attacker is able to execute arbitrary actions in the context of its victims' sessions. Proof of concept: ----------------- The proof of concept has been removed from this advisory. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in version 8.0.1-b39 which was the latest version available at the time of the test. The vendor provided further affected version information. See the Solution section for reference. Vendor contact timeline: ------------------------ 2018-03-14: Contacting vendor through email 2018-03-16: Advisory sent to vendor via encrypted mail 2018-03 - 2018-09: Multiple phone calls with PTC R&D department discussing release & multi-party disclosure 2018-08-15: Vendor provided private notifications to customers to give 45 days to upgrade 2018-10-01: Coordinated release of SEC Consult advisory Solution: --------- Best recommendation is to upgrade to the latest version of ThingWorx to version 8.3.2 (at time of writing). For newer verions, the issue of the hard coded password has been fixed and the SQUEAL function removed. The minimum upgrade to obtain mitigations for all 3 issues depends on the version of ThingWorx in use. For ThingWorx versions 6.5-7.4, upgrade to 7.4.14+ For ThingWorx version 8.0.x, upgrade to 8.0.12+ For ThingWorx version 8.1.x, upgrade to 8.1.7+ For ThingWorx version 8.2.x, upgrade to 8.2.4+ The vendor always recommends upgrading to the latest availabe service pack. See the following advisory by the vendor for further information: https://www.ptc.com/en/support/article?n=CS291004 Workaround: ----------- 1) Disclosure of User Password Hashes to Privileged Users To limit exposure, disabling all native ThingWorx users and solely rely on users that make use of Active Directory or Single Sign On (SSO) authentication, since the password hashes are then not saved within ThingWorx. 2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords None. 3) Reflected Cross-Site Scripting This issue only exists because of a deprecated feature called SQUEAL. Removal of this function will eliminate the XSS issue. a. This SQUEAL functionality is already removed in ThingWorx 8.1.0+. b. For versions older than 8.1.0, a workaround is available at the PTC support site. Updating to fix all 3 issues is recommended. # 0day.today [2024-07-02] #