Resources > research

FP-2023-03 — ThinManager

Table Of Contents
Table of Contents
Vendor/Product information
Vulnerable program details
Credits
Vulnerability details
Proof of concept
Solution
References
Timeline
More
subscribe to our newsletter

ThinManager Thinserver.exe /api/documentation Endpoint Path Traversal Remote File Disclosure

Vendor / Product information

“Our ThinManager® thin client management software allows control and security in a sustainable and scalable platform regardless of the size of your industrial environment or number of facilities. The thin client architecture gives users the applications and tools familiar to them in a format that reduces management and maintenance costs while it increases security.”

Source: https://www.rockwellautomation.com/en-us/products/software/factorytalk/operationsuite/thinmanager.html

Vulnerable program details

Details for tested products and versions:

Vendor: Rockwell Automation
Product: ThinManager
Component: Thinserver.exe
Version: 13.0 SP2

NOTE: Other versions than the one listed above are likely affected. The security advisory released by Rockwell reports versions 13.0.0 through 13.0.2 as vulnerable as well as ThinServer version 13.1.0.

Credits

Sven Krewitt, Flashpoint

Vulnerability details

Rockwell Automation ThinManager contains a flaw that allows traversing outside of a restricted path and allows a remote attacker to read files on the local file system with SYSTEM-level privileges.

Exploitation of this issue requires that API endpoints are enabled in the HTTPS server API settings, which are disabled by default.

The issue can be triggered when handling requests to the /api/documentation endpoint. By submitting a path containing a path traversal sequence (e.g. ‘../’), a remote attacker can read arbitrary files from the server’s file system with privileges of the server (NT AUTHORITY\SYSTEM).

Proof of concept

Enable API endpoints in the HTTPS Server Settings.

Use curl to send a specially crafted request to the endpoint

$ curl --path-as-is -k https://[serverIP]:8443/api/documentation/../../../../../../../windows/system.ini

Solution

The vulnerability is fixed in ThinManager version 13.0.3 and ThinServer version 13.1.1.

References

Flashpoint: FP-2023-003
VulnDB: 326476
CVE: CVE-2023-2913
Rockwell: PN1635

Timeline

2023-04-04 Vulnerability discovered.
2023-04-14 Vulnerability reported to Rockwell Automation PSIRT
2023-04-25 Vendor response.
2023-07-18 Vulnerability published to VulnDB customers.
2023-07-19 Publication of this vulnerability report.

Additional Resources

Vulnerability Management
Why VulnDB?
CVE fails to report over 93,000 confirmed vulnerabilities, Alarmingly, 40% of 2021 omissions were high to …
Vulnerability Management
Lineas Enables Effective Risk-Based Vulnerability Management (RBVM) with VulnDB®
VulnDB’s extensive research was the essential component that enabled Lineas to identify risk in a more …
Vulnerability Management
The State of Vulnerability Intelligence: 2022 Midyear Edition
The State of Vulnerability Intelligence report empowers organizations to focus on what matters most, helping them …