A security vulnerability in the zenon Software Platform versions 11, 12 and 14 in relation to the Engineering Studio and the Service Engine under Windows has been reported by an external party.

This vulnerability causes an application, which is placed by an attacker in a specific directory on the Windows system with the EngineeringStudio or the Service Engine, to be executed, when either the EngineeringStudio is started and a project is loaded or created, or when the Service Engine is started. The application is executed in the same session and user context as the Engineering Studio or the Service Engine. The Service Engine may no longer perform a normal startup when the application of the attacker is executed.

Systems where the zenon Software Platform is installed in the default location, require Administrator privileges to place an application in the directory, where it is executed by the EngineeringStudio or the Service Engine because of the vulnerability.

Systems where the zenon Software Platform is installed in a non-default location are more vulnerable, when folder permissions are not set explicitly, post-installation and may allow users without Administrator Privileges to place an application in the directory where it is executed by the Engineering Studio or the Service Engine.

CWE-427:

The underlying weakness is identified as CWE-427: Uncontrolled Search Path Element or commonly known under Windows as an “Unquoted Service Path Enumeration” refers to a vulnerability where a program searches for resources such as libraries, in directories specified by a variable like PATH, and does not properly control or validate these directories. The vulnerability typically arises from improper configuration with unquoted blank spaces in the path.

Risks:

This type of vulnerability can be exploited to perform unauthorized actions such as privilege escalation, code execution, or the installation of backdoors. By leveraging the uncontrolled search path, an attacker can manipulate the system to execute their code with the privileges of the compromised application.

Mitigations:

• Install zenon in the default location, which requires Administrator privileges for an attacker to place an executable in a directory.
• Define Access Control post-installation in a non-default location.
• Restrict local access to systems with the zenon Software Platform installed.
• Make use of Application Whitelisting.

Fix:

This vulnerabilty has been fixed.
To benefit from this fix, update your zenon Software Platform to

• the latest build of zenon 15 or higher

• zenon 14, build 239777 or higher
• zenon 12, build 241649 or higher

Note: When the update is installed on the system with the Engineering Studio, it may also be necessary to update systems with the Service Engine, when project changes need to be used on the system with the Service Engine.

Attention: Comprehensive information on this security vulnerability and how COPA-DATA deals with it, including general and specific recommendations, can be found in the COPA-DATA security bulletin. This security bulletin can be found in the COPA-DATA self-service portal as a PDF attachment to the article on this vulnerability: CD_SVA_2024_1.pdf.