{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5909", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-11-01T16:18:45.060Z", "datePublished": "2023-11-30T22:05:59.595Z", "dateUpdated": "2024-08-02T08:14:24.693Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "KEPServerEX", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThingWorx Kepware Server", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThingWorx Industrial Connectivity", "vendor": "PTC", "versions": [{"status": "affected", "version": "All versions"}]}, {"defaultStatus": "unaffected", "product": "OPC-Aggregator", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThingWorx Kepware Edge", "vendor": "PTC", "versions": [{"lessThanOrEqual": "1.7", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "KEPServer Enterprise", "vendor": "Rockwell Automation ", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Industrial Gateway Server", "vendor": "GE Gigital", "versions": [{"lessThanOrEqual": "7.614", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "TOP Server", "vendor": "Software Toolbox", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Shawn Hoffman"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p></p>\n\n<p></p>\n\n<p>KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.</p><br>\n\n<br>\n\n"}], "value": "\n\n\n\n\n\n\n\n\nKEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.\n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-297", "description": "CWE-297 Improper Validation of Certificate with Host Mismatch", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-11-30T22:05:59.595Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>PTC has released and recommends users to update to the following versions:</p><ul><li>KEPServerEX should upgrade to v6.15 or later</li><li>ThingWorx Kepware Server should upgrade to v6.15 or later</li><li>ThingWorx Industrial Connectivity should upgrade to ThingWorx Kepware Server v6.15 or later</li><li>OPC-Aggregator should upgrade to v6.15 or later</li><li>ThingWorx Kepware Edge: Upgrade to v1.8 or later</li></ul><p>Refer to secure configuration guide <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ptc.com/en/support/refdoc/ThingWorx_Kepware_Server/6.15/ThingWorx%20Kepware%20Server%20Secure%20Deployment%20Guide\">here</a></p><p>If additional questions remain, please contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/apps/case_logger_viewer/cs/auth/ssl/log?\">PTC Technical Support</a></p><p>For more information, see PTC's <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ptc.com/en/support/article/CS405439\">advisory</a>.</p>\n\n<br>"}], "value": "\nPTC has released and recommends users to update to the following versions:\n\n  *  KEPServerEX should upgrade to v6.15 or later\n  *  ThingWorx Kepware Server should upgrade to v6.15 or later\n  *  ThingWorx Industrial Connectivity should upgrade to ThingWorx Kepware Server v6.15 or later\n  *  OPC-Aggregator should upgrade to v6.15 or later\n  *  ThingWorx Kepware Edge: Upgrade to v1.8 or later\n\n\nRefer to secure configuration guide  here https://www.ptc.com/en/support/refdoc/ThingWorx_Kepware_Server/6.15/ThingWorx%20Kepware%20Server%20Secure%20Deployment%20Guide \n\nIf additional questions remain, please contact  PTC Technical Support https://support.ptc.com/apps/case_logger_viewer/cs/auth/ssl/log \n\nFor more information, see PTC's  advisory https://www.ptc.com/en/support/article/CS405439 .\n\n\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Validation of Certificate with Host Mismatch in PTC KEPServerEx", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:14:24.693Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:industrial_gateway_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAC36939-C47F-4426-A684-0252C014CB05", "versionEndIncluding": "7.614", "vulnerable": true}, {"criteria": "cpe:2.3:a:ptc:keepserverex:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C003AF3-3140-4AD9-8407-D3C216D72AA0", "versionEndIncluding": "6.14.263.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ptc:opc-aggregator:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0A4FE5D-D1DD-4854-B709-3E0A54D6BE97", "versionEndIncluding": "6.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:ptc:thingworx_industrial_connectivity:-:*:*:*:*:*:*:*", "matchCriteriaId": "D01A814D-8F2B-4B88-A66B-F2A2C293A6AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:ptc:thingworx_kepware_edge:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8B99ED4-CEB0-463D-9900-426C6108A009", "versionEndIncluding": "1.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "14930935-3DE4-403F-9F6A-9E4490C3B95D", "versionEndIncluding": "6.14.263.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:kepserver_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "40663AD6-24DE-4D75-AA95-0D4E6A2ADF04", "versionEndIncluding": "6.14.263.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:softwaretoolbox:top_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB7C7A8B-38A0-4A48-B78A-F5FAA2A9E20F", "versionEndIncluding": "6.14.263.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\nKEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "KEPServerEX no valida adecuadamente los certificados de los clientes, lo que puede permitir que se conecten usuarios no autenticados."}], "id": "CVE-2023-5909", "lastModified": "2024-11-21T08:42:45.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-30T22:15:10.163", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-297"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}