PHOENIX CONTACT: Two Vulnerabilities in Automation Worx Suite

PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier can lead to a stack-based overflow. mwe file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier is vulnerable to out-of-bounds read remote code execution.

VDE-2020-023 (2020-07-01 10:25 UTC+0200)

Affected Vendors

Phoenix Contact

Affected Products

Version 1.87 and earlier of

  • PC Worx 
  • PC Worx Express

Summary

Manipulated PC Worx projects could lead to a remote code execution due to insufficient input
data validation.

The attacker needs to get access to an original PC Worx project to be able to manipulate data
inside the project folder. After manipulation the attacker needs to exchange the original files by
the manipulated ones on the application programming workstation.

CVE-ID: CVE-2020-12497
ZDI-ID: ZDI-CAN-10147
CWE: Stack-based Buffer Overflow (CWE-121)
CVSS: 7.8 (CVSS3.0:AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Description: PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier can lead to a stack-based overflow.

CVE-ID: CVE-2020-12498
ZDI-ID:
ZDI-CAN-10586
CWE: 
Out-of-bounds Read (CWE-125)
CVSS: 7.8
(CVSS3.0:AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Description:
 mwe file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier is vulnerable to out-of-bounds read remote code execution.

Impact

Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.

Solution

Temporary Fix / Mitigation

We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.
In addition, we recommend exchanging or storing project files together with a checksum to ensure their integrity.

Remediation

With the next version of Automation Worx Software Suite a sharpened input data validation with respect to buffer size and description of size and number of objects referenced in a file will be implemented.

Reported by

ZDI-CAN-10147 was discovered by Natnael Samson working with Trend Micro Zero Day Initiative
ZDI-CAN-10586 was discovered by mdm working with Trend Micro Zero Day Initiative

Phoenix Contact reported the vulnerabilities to CERT@VDE