Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46141: VDE-2023-055 | CERT@VDE

Incorrect Permission Assignment for Critical Resource vulnerability in multiple products of the PHOENIX CONTACT classic line allow an remote unauthenticated attacker to gain full access of the affected device.

CVE
#vulnerability#web#auth

2023-12-12 08:00 (CET) VDE-2023-055

Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource
Share: Email | Twitter

Published

2023-12-12 08:00 (CET)

Last update

2023-12-11 14:46 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°

Product Name

Affected Version(s)

Automation Worx Software Suite

all versions

2700988

AXC 1050

all versions

2701295

AXC 1050 XC

all versions

2700989

AXC 3050

all versions

Config+

all versions

2730844

FC 350 PCI ETH

all versions

ILC1x0

all versions

ILC1x1

all versions

ILC 3xx

all versions

PC Worx

all versions

PC Worx Express

all versions

2700291

PC WORX RT BASIC

all versions

2701680

PC WORX SRT

all versions

2730190

RFC 430 ETH-IB

all versions

2730200

RFC 450 ETH-IB

all versions

2700784

RFC 460R PN 3TX

all versions

2916794

RFC 470S PN 3TX

all versions

2404577

RFC 480S PN 4TX

all versions

Summary

Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don’t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).

Logic files generated by Automation Worx could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, the tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program.

CVE ID

Last Update:

Nov. 3, 2023, 9:11 a.m.

Severity

Weakness

Incorrect Permission Assignment for Critical Resource (CWE-732)

Summary

Incorrect Permission Assignment for Critical Resource vulnerability in multiple products of the PHOENIX CONTACT classic line allow an remote unauthenticated attacker to gain full access of the affected device.

Details

Impact

The identified vulnerabilities allow attackers to generate logic files or upload logic with arbitrary malicious code to the classic line industrial controllers once they have access to the engineering station running Automation Worx Software Suite or can communicate with the controllers. Attackers must have network or physical access to the engineering station or controller to exploit this vulnerability.

Solution

Mitigation

Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.

This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.

It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.

Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.

For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security

If a classic line controller can’t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.
A summary of measures to protect devices based on classic control technology is provided here:
Measures to protect devices based on classic control technology

Reported by

This vulnerability was reported by Reid Wightman at Dragos, Inc.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907