The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.
The password used by e!Cockpit for authentication against the PLC is encrypted with a hard- coded key. An attacker is able to decrypt the password by listening to the network traffic.
Multiple Vulnerabilities exist in components used by the aforementioned products. See CVE-Details for more information.
CVS-2019-12255
Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.
The vulnerability affects a little-known feature of the TCP/IP protocol, sending out-of-band data, also known as urgent data. Although the feature is rarely used in the real world, its implementation, consisting of an “Urgent Flag” and an “Urgent Pointer”, is present in the header of every TCP packet. Exploiting these vulnerabilities does therefore not depend on any specific configuration. If a VxWorks device communicates using the TCP protocol, it is vulnerable. It also does not matter which side initiates a TCP connection. An attacker can exploit the vulnerabilities if the VxWorks device is operated as a server that accepts TCP connections, if the VxWorks device connects to a malicious host operated by the attacker, or as a man-in-the-middle, manipulating a TCP connection between the VxWorks device and a legitimate host.
CVE-2019-12258
This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.
Phoenix Contact Emalytics Controller ILC 2050 BI are developed and designed for the use in protected building automation networks.
An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. There is an insecure mechanism for read and write access to the configuration of the device. The mechanism can be discovered by examining a link on the website of the device.
The reported vulnerabilities allow a remote attacker to change the setting, delete the application, set the device to factory defaults, code execution and to cause a system crash or denial of service.
Note(s)
The following products are affected by the listed vulnerabilities:
Series PFC100 (750-81xx/xxx-xxx)
Series PFC200 (750-82xx/xxx-xxx)
The following products are affected by the vulnerability CVE-2019-5078
750-852, 750-831/xxx-xxx, 750-881, 750-880/xxx-xxx, 750-889
750-823, 750-832/xxx-xxx, 750-862, 750-890/xxx-xxx, 750-891
Multiple issues have been found. Please check the CVEs for details.
If MAC-based port security or 802.1x port security is enabled, the FL NAT 2xxx will unintentionally grant access to unauthorized devices in case of routed transmission.
Subnet 2---(Ports belonging to subnet 2)
|
FL NAT 2xxx
|
(Ports belonging to subnet 1, port sec ON)---- 2nd device
|
-- unauthorized device
The unauthorized device can access other devices in subnet 2 but cannot access the 2nd device in subnet 1
Manipulated PC Worx or Config+ projects could lead to a remote code execution due to
insufficient input data validation.
The attacker needs to get access to an original PC Worx or Config+ project to be able to
manipulate data inside the project folder. After manipulation the attacker needs to exchange the
original files by the manipulated ones on the application programming workstation.