ToolBoxST prior to Version 7.8.0 uses a vulnerable version of the Ionic .NET Zip library that does not properly sanitize path names allowing files to be extracted to a location above their parent directory and back to the root directory. If an attacker compromises an HMI or creates their own SDI client, they can upload the device.zip file from a controller, patch it to contain a malicious file and path, and download it back to the controller. The next user to perform an upload could grab the malicious device.zip and extract it to their HMI, creating the potential for arbitrary write, overwrite, and execution.
Read Team82’s report: “Evil PLC Attack: Using a Controller as Predator Rather than Prey”CVE-2021-44477
GE
ToolBoxST
7.5
Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.
Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.