Share: Email | Twitter

ID

VDE-2021-019

Published

2021-06-23 14:14 (CEST)

Last update

2021-06-23 14:14 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
ILC1x0 all versions
ILC1x1 all versions

Summary

Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a denial of service on the PLC's network communication module (CWE-770).


Last Update:

7. Juli 2021 13:10

Weakness

Allocation of Resources Without Limits or Throttling  (CWE-770) 

Summary

Phoenix Contact Classic Line Controllers ILC1x0 and ILC1x1 in all versions/variants are affected by a Denial-of-Service vulnerability. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a denial of service on the PLC's network communication module. A successful attack stops all network communication. To restore the network connectivity the device needs to be restarted. The automation task is not affected.

Impact

A successful attack stops all network communication. To restore the network connectivity the device needs to be restarted. The automation task is not affected.

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note:
Measures to protect network-capable devices with Ethernet connection

Reported by

This vulnerability was discovered by the Industrial Control Security Laboratory of Qi An Xin Technology Group Inc. from China and reported to CERT@VDE.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.