PHOENIX CONTACT Multiple Vulnerabilities in Automation Worx Software Suite

Security Advisory for Automation Worx Software Suite version 1.86 and earlier

VDE-2019-014 (2019-06-19 15:41 UTC+0200)

Affected Vendors

Phoenix Contact

Affected Products

Following components of Automationworx Software Suite version 1.86 and earlier are affected:
PC Worx
PC Worx Express
Config +

Vulnerability Type

Access of Uninitialized Pointer (CWE-824), Out-of-bounds Read (CWE-125), Use After Free (CWE-416)

Summary

A manipulated PC Worx or Config+ project file could lead to a remote code execution.
The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation the attacker needs to exchange the original file by the manipulated one on the application programming workstation.

CVE ID: CVE-2019-12869
ZDI ID: ZDI-CAN-7781
Vulnerability Type: Out-of-bounds Read (CWE-125)
CVSS: 3.3 (
CVSS:3.0:AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVE ID: CVE-2019-12870
ZDI ID: ZDI-CAN-7784
Vulnerability Type: Access of Uninitialized Pointer (CWE-824)
CVSS: 7.8 (CVSS:3.0:AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE ID: CVE-2019-12871
ZDI ID: ZDI-CAN-7780, ZDI-CAN-7785, ZDI-CAN-7786
Vulnerability Type: Use After Free (CWE-416)
CVSS: 7.8 (CVSS:3.0:AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Impact

Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.

Solution

Temporary Fix / Mitigation

We strongly recommend customers to exchange project files only using secure file exchange services.
Project files should not be exchanged via unencrypted email.

Remediation

With the next version of Automationworx Software Suite the following measures will be implemented:

  • The zlib component will be updated to the latest version (1.2.11.0). By utilizing the latest version of zlib a manipulated BCP file is detected as corrupt. The unpacking operation is aborted and therefor the remote code execution is precluded.
  • The validation of input data will be improved.
  • Objects in the affected software components will be completely initialized.
  • Further 3rd party components will be checked for known vulnerabilities and will be exchanged or updated if required.
  • General preventive security measures will be implemented such as address space layout randomization.

Reported by

The vulnerabilities were discovered by 9sg Security Team.
Reported through Zerodayinitiative.
Coordinated by NCCIC and CERT@VDE.