PHOENIX CONTACT FL COMSERVER cross-site scripting (XSS) vulnerability

VDE-2017-004 (2017-12-05 08:50 UTC+0100)

CVE Identifier

CVE-2017-16723

Affected Vendors

PHOENIX CONTACT

Affected Products

FL COMSERVER BASIC 232/422/485, FL COMSERVER UNI 232/422/485, FL COMSERVER BAS 232/422/485-T, FL COMSERVER UNI 232/422/485-T, FL COM SERVER RS232, FL COM SERVER RS485, PSI-MODEM/ETH

Vulnerability Type

XSS

Summary

A cross-site scripting (XSS) vulnerability affects PHOENIX CONTACT FL COMSERVER products running firmware versions prior to 1.99, 2.20, or 2.40.

Impact

On devices with older firmware versions, an unauthenticated user with network access is able to change (but not activate) the configuration variables by accessing a specific URL on the web server, without authenticating in the web interface first. A changed configuration can only be permanently saved and activated by an authenticated user. However, since the input is not properly sanitised, an attacker could inject malicious JavaScript code. When this code is executed on the client of an authenticated user, changed configuration variables could be saved and activated without user interaction.

Solution

PHOENIX CONTACT released new firmware versions for the affected devices, which fix this vulnerability. Customers using these devices in an unprotected network environment are recommended to update to firmware versions 1.99, 2.20, or 2.40, as listed below.

Art. No. Description Generation Firmware Download link
2313478 FL COMSERVER BASIC 232/422/485 2nd generation 2.40 http://www.phoenixcontact.net/qr/2313478/firmware_update
2313452 FL COMSERVER UNI 232/422/485 2nd generation 2.40 http://www.phoenixcontact.net/qr/2313452/firmware_update
2904681 FL COMSERVER BAS 232/422/485-T 2nd generation 2.40 http://www.phoenixcontact.net/qr/2904681/firmware_update
2904817 FL COMSERVER UNI 232/422/485-T 2nd generation 2.40 http://www.phoenixcontact.net/qr/2904817/firmware_update
2744490 FL COM SERVER RS232 1st generation 1.99 http://www.phoenixcontact.net/qr/2744490/firmware_update
2708740 FL COM SERVER RS485 1st generation 1.99 http://www.phoenixcontact.net/qr/2708740/firmware_update
2313300 PSI-MODEM/ETH 1st generation 2.20 http://www.phoenixcontact.net/qr/2313300/firmware_update

Reported by

Maxim Rupp reported this vulnerability to ICS-CERT.

ICS-CERT coordinated with PHOENIX CONTACT and CERT@VDE.