PHOENIX CONTACT: Improper path sanitation on import of project files in PLCnext Engineer

In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an improper path sanitation vulnerability exists on import of project files.

VDE-2020-025 (2020-07-21 11:38 UTC+0200)

CVE Identifier

CVE-2020-12499

Severity

8.2 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Affected Vendors

PHOENIX CONTACT

Affected Products

PLCnext Engineer (1046008) 2020.3.1 and earlier

Vulnerability Type

Improper Limitation of a Pathname to a Restricted Directory (CWE-22)

Summary

The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code.
The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.

Impact

Availability, integrity, or confidentiality of an engineering workstation might be compromised by attacks using these vulnerabilities.

Solution

Temporary Fix / Mitigation

We strongly recommend customers to exchange project files only using secure file exchange
services. Project files should not be exchanged via unencrypted email. Users should avoid
importing project files from unknown source and exchange or store project files together with a
checksum to ensure their integrity.

Remediation

Phoenix Contact strongly recommends updating to the latest version PLCnext Enineer 2020.6 or
higher, which fixes this vulnerability.

Reported by

This vulnerability was discovered and reported by Amir Preminger of Claroty.
PHOENIX CONTACT reported the vulnerability to CERT@VDE