Pilz: PAS 4000 prone to ZipSlip

Monitor6.5VDE-2022-045Nov 24, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

PAS4000 is the software platform for the Pilz PSS 4000 Automation System. The software does not properly validate file paths in archives (ZIP files), allowing an attacker to use a ZipSlip vulnerability to write arbitrary files to the system. This could lead to code execution and compromise of the automation platform.

What this means

What could happen

An attacker could write arbitrary files to the PAS 4000 system, potentially executing malicious code that could alter or stop automation processes controlled by the PSS 4000 safety system.

Who's at risk

Site engineers, control system integrators, and safety system operators who use Pilz PAS 4000 for designing and managing automation systems in industrial facilities. Anyone with access to PAS 4000 engineering workstations is at risk if they download or are sent malicious project files.

How it could be exploited

An attacker tricks a user into importing a specially crafted archive (ZIP file with path traversal payloads) into PAS 4000. The software fails to validate file paths during extraction, allowing the attacker to write files outside the intended directory and achieve code execution on the engineering workstation or automation platform.

Prerequisites

User interaction required: victim must import or open a malicious archive file in PAS 4000
Access to the PAS 4000 software or engineering workstation where it is installed

Remotely exploitable (via malicious file distribution)User interaction requiredLow complexity attackAffects safety system engineering platformPotential for code execution

Affected products (1)

ProductAffected VersionsFix Status

PAS4000 <1.25.0<1.25.0Fix available

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict PAS 4000 imports to only trusted archive sources; disable automatic archive extraction if available

HARDENINGEducate engineering and maintenance staff not to import archives from untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PAS 4000 to version 1.25.0 or later

CVEs (2)

CVE-2022-40976 CVE-2018-1002202

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3ba2d453-4aed-4e87-9586-0c32bee236d5