PHOENIX CONTACT : Niche Ethernet Stack for ILC1x0, ILC1x1 and AXC 1050 Industrial controllers and CHARX control DC

Niche Ethernet stack vulnerabilities can lead to Denial of Service and Breach of Integrity if triggered by specially crafted IP packets.

VDE-2021-032 (2021-08-04 09:56 UTC+0200)

Affected Vendors

Phoenix Contact

Affected Products

Article no Article Affected versions
2700973, 2700974,
2700975, 2700976,
2701034, 2701141
ILC1x1 All firmware versions
All variants ILC1x0 All firmware versions
2700988, 2701295 AXC 1050 All firmware versions
1624130 EV-PLCC-AC1-DC1 All firmware versions

Summary

Third party Niche Ethernet stack has several vulnerabilities announced by the security researcher’s community.
Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a Denial of Service or a Breach of Integrity of the PLC.

Denial of Service

CVE-2020-35683: Integer overflow in ICMP packet demultiplexing function
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CWE-20: Improper Input Validation
Description: The code that parses ICMP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the ICMP checksum. When the IP payload size is set to be smaller than the size of the IP header, the ICMP checksum computation function may read out of bounds.

CVE-2020-35684: Integer overflow in TCP checksum calculation function
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CWE-20: Improper Input Validation
Description: The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the length of the TCP payload within the TCP checksum computation function. When the IP payload size is set to be smaller than the size of the IP header, the TCP checksum computation function may read out of bounds. A low-impact write-out-of-bounds is also possible.

CVE-2021-31400: Infinite loop in TCP urgent data processing function
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CWE-248: Uncaught Exception
Description: The TCP out of band urgent data processing function would invoke a panic function if the pointer to the end of the out of band urgent data points out of the TCP segment's data. If the panic function hadn't a trap invocation removed it will result in an infinite loop and therefore a DoS (continuous loop or a device reset).

CVE-2021-31401: Integer overflow in TCP header processing function
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CWE-20: Improper Input Validation
Description: The TCP header processing code doesn't sanitize the length of the IP length (header + data). With a crafted IP packet an integer overflow would occur whenever the length of the IP data is calculated by subtracting the length of the header from the length of the total IP packet.

CVE-2021-31227: Parsing HTTP POST cases heap-buffer overflow
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CWE-839: Numeric Range Comparison Without Minimum Check
Description: A heap buffer overflow exists in the code that parses the HTTP POST request due to an incorrect signed integer comparison.

Breach of Integrity

CVE-2020-35685: Predictable TCP Initial Sequence Number (ISN) generation can be abused for TCP Connection Hijacking/Spoofing 
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CWE-330: Use of Insufficiently Random Values
Description: TCP ISNs are generated in a predictable manner.

Impact

A successful attack to the Niche Ethernet stack can lead to Denial of Service or a Breach of Integrity of the PLC.

Solution

Temporary Fix / Mitigation

Customers using Phoenix Contact Classic Line Controllers are strongly recommended to operate the devices in closed networks or protected with a suitable firewall as intended. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact Classic Line Controllers are designed and developed for the use in closed industrial networks. The control and configuration protocols do not feature authentication mechanisms by design. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Phoenix Contact is offering the mGuard product family for network segmentation and protection.

Reported by

This vulnerability was discovered and reported by Forescout Technologies, Inc.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.