Pilz: PASvisu and PMI affected by multiple vulnerabilities

Plan Patch7.5VDE-2022-033Nov 24, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PASvisu is an HMI solution for machine visualization used standalone and integrated into Pilz PMI products. The PASvisu Server component contains path traversal and file permission vulnerabilities (CWE-22, CWE-552) that allow unauthenticated attackers to write arbitrary files to the system, potentially enabling code execution and full compromise of the HMI platform.

What this means

What could happen

An attacker could write arbitrary files to the PASvisu server, potentially allowing code execution and complete compromise of the HMI system that controls machine visualization and process monitoring.

Who's at risk

Manufacturing facilities using Pilz PASvisu software or PMI human-machine interface (HMI) products for machine visualization and process control. This includes any industrial automation environment relying on PASvisu Server for operator interface and monitoring.

How it could be exploited

An attacker with network access to the PASvisu Server component can exploit path traversal and file upload vulnerabilities to write arbitrary files to the system. This could allow the attacker to place executable code or modify critical system files, leading to remote code execution on the HMI server.

Prerequisites

Network access to the PASvisu Server component
No authentication required

remotely exploitableno authentication requiredlow complexityaffects HMI/visualization systemsno patch available for PASvisu v5xx

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

PASvisu Software <1.12.0<1.12.0No fix (EOL)

PMI v5xx <=1.3.58≤ 1.3.58No fix (EOL)

PMI v7xx <2.2.0<2.2.02.2.0

PMI v8xx <1.6.102<1.6.1021.6.102

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDConfigure an administration password on PASvisu Server, PMI v7xx, and PMI v8xx immediately

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PASvisu Software to version 1.12.0 or later when available from Pilz

HOTFIXUpdate PMI v7xx to version 2.2.0 or later when available from Pilz

HOTFIXUpdate PMI v8xx to version 1.6.102 or later when available from Pilz

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PASvisu Software <1.12.0, PMI v5xx <=1.3.58. Apply the following compensating controls:

HARDENINGRestrict network access to the PASvisu Server to only authorized engineering workstations and trusted subnets

CVEs (2)

CVE-2022-40977 CVE-2022-25299

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4daebfa7-1066-4aae-b0c1-dad248aa702b