PHOENIX CONTACT: Improper path sanitation on import of project files in PLCnext Engineer
VDE-2020-025 (2020-07-21 10:38 UTC+0100)
CVE Identifier
CVE-2020-12499Affected Vendors
PHOENIX CONTACT
Affected Products
PLCnext Engineer (1046008) 2020.3.1 and earlier
Vulnerability Type
Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
Summary
The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code.
The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.
Impact
Availability, integrity, or confidentiality of an engineering workstation might be compromised by attacks using these vulnerabilities.
Solution
Temporary Fix / Mitigation
We strongly recommend customers to exchange project files only using secure file exchange
services. Project files should not be exchanged via unencrypted email. Users should avoid
importing project files from unknown source and exchange or store project files together with a
checksum to ensure their integrity.
Remediation
Phoenix Contact strongly recommends updating to the latest version PLCnext Enineer 2020.6 or
higher, which fixes this vulnerability.
Reported by
This vulnerability was discovered and reported by Amir Preminger of Claroty.
PHOENIX CONTACT reported the vulnerability to CERT@VDE