PHOENIX CONTACT: Multiple vulnerabilities in PLCnext Control devices

Multiple Vulnerabilities in PLCnext devices running firmware 2020.1 LTS: Authenticated stored Cross-Site-Scripting, unintended information disclosure, privilege escalation.

VDE-2020-049 (2020-12-17 11:00 UTC+0200)

Affected Vendors

PHOENIX CONTACT

Affected Products

Article no Article Affected versions Fixed version
1151412 AXC F 1152 < 2021.0 LTS Download
2404267 AXC F 2152 < 2021.0 LTS Download
1069208 AXC F 3152 < 2021.0 LTS Download
1051328 RFC 4072S < 2021.0 LTS Download
1046568 AXC F 2152 Starterkit < 2021.0 LTS Download
1188165 PLCnext Technology Starterkit < 2021.0 LTS Download

Vulnerability Type

Improper Neutralization of Input (CWE-79)

Summary

Multiple vulnerabilities have been identified in PLCnext Control devices. Please consult section "Impact" for details.

Impact

CVE-ID: CVE-2020-12517
CWE: Improper Neutralization of Input (XSS) (CWE-79)
CVSS: 8.8 (CVSS3.0:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description:An authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).

CVE-ID: CVE-2020-12518
CWE: Exposure of Sensitive Information (CWE-200)
CVSS: 5.5 (CVSS3.0:AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Description: An attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks.

CVE-ID: CVE-2020-12519
CWE: Improper Privilege Management (CWE-269)
CVSS: 8.8 (CVSS3.0:AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Description: An attacker can use this vulnerability i.e. to open a reverse shell with root privileges.

CVE-ID: CVE-2020-12521
CWE: Improper Input Validation (CWE-20)
CVSS: 6.5 (CVSS3.0:AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: A specially crafted LLDP packet may lead to a high system load in the PROFINET stack. An attacker can cause failure of system services or a complete reboot.

Solution

Phoenix Contact recommends affected users to upgrade to the current Firmware 2021.0 LTS or higher which fixes these vulnerabilities.

Mitigation/Temporary Fix

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection (PDF)

Reported by

The vulnerabilities CVE-2020-12517,-12518 and CVE-2020-12519 were discovered by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul and Daniel Hackel of SVA Systemvertrieb Alexander GmbH.

CERT@VDE coordinated.