Product lifecycle management solutions provider PTC recently informed customers about the availability of a patch for a critical vulnerability affecting a license server for the company’s Creo Elements/Direct product.
Creo Elements/Direct is a direct modeling CAD software for 3D design creation.
Thomas Riedmaier of Siemens Energy discovered earlier this year that the license server for Creo Elements/Direct, specifically version 20.7.0.0 and prior, is affected by a critical missing authorization issue.
The researcher discovered that the license server exposes a web interface that can be abused by unauthenticated, remote attackers to execute arbitrary OS commands on the underlying server. The flaw is tracked as CVE-2024-6071 and it has been assigned a CVSS score of 10.
PTC and the US cybersecurity agency CISA published advisories for the vulnerability in late June. A patch is included in version 20.7.0.1 and later of the license server, which is available for products such as Creo Elements/Direct Drafting, Model/Drawing Mgr, Modeling, and WorkManager.
The vulnerability could enable lateral movement in industrial organizations. CISA noted in an industrial control systems (ICS) advisory that the affected product is used worldwide, including in the critical manufacturing sector.
However, PTC pointed out that it “has no indication nor has been made aware that this vulnerability has or is being exploited”.
Riedmaier told SecurityWeek that the impacted license server is typically not exposed to the internet so an attacker would need access to the targeted organization’s network in order to exploit the vulnerability.
In the environment where he discovered the vulnerability, the PTC license server was installed on a Windows system, which the researcher was able to take over by exploiting the flaw.
The compromised server hosted multiple services and was connected to multiple networks, allowing Riedmaier to obtain access to critical information and separated networks.
However, what an attacker could achieve after exploiting the vulnerability depends on where the license server is deployed and the type of access it provides, which can be different in other organizations.
Riedmaier commended PTC for its handling of the vulnerability, saying that the company “did an excellent job”, conducting its analysis, publishing a patch, and issuing an advisory within seven weeks.
Related: Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products
Related: Critical KEPServerEX Flaws Can Put Attackers in ‘Powerful Position’ in OT Networks
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA
