Share: Email | Twitter

ID

VDE-2019-015

Published

2022-06-21 07:14 (CEST)

Last update

2022-06-21 07:14 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2700988 AXC 1050 all versions
2701295 AXC 1050 XC all versions
2700989 AXC 3050 all versions
2730844 FC 350 PCI ETH all versions
ILC1x0 all versions
ILC1x1 all versions
2700977 ILC 1x1 GSM/GPRS all versions
2700291 PC WORX RT BASIC all versions
2701680 PC WORX SRT all versions
2730190 RFC 430 ETH-IB all versions
2730200 RFC 450 ETH-IB all versions
2700784 RFC 460R PN 3TX all versions
1096407 RFC 460R PN 3TX-S all versions
2916600 RFC 470 PN 3TX all versions
2916794 RFC 470S PN 3TX all versions
2404577 RFC 480S PN 4TX all versions

Summary

Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families as well as the AXIOLINE controllers AXC1050 and AXC3050) are developed and designed for the use in closed industrial networks. The communication protocols used for device management and configuration do not feature authentication measures.

Update A, 2022-06-21

This updated version contains additional affected products.
In addition, a new application note for classic line controllers had been published to make it easier for our customers to find out the actions how to disable the unauthorized communication ports instead of checking out each controller’s manual.


Weakness

Improper Authentication  (CWE-287) 

Summary

Phoenix Contact ILC 131 ETH, ILC 131 ETH/XC, ILC 151 ETH, ILC 151 ETH/XC, ILC 171 ETH 2TX, ILC 191 ETH 2TX, ILC 191 ME/AN, and AXC 1050 devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories.

Impact

If the above-mentioned controllers are used in an unprotected open network, an unauthorized attacker can change or download the device code/configuration, start or stop services, update or modify the firmware or shutdown the device.

Solution

Mitigation

Customers using Phoenix Contact classic line controllers are recommended to operate the devices in closed networks or protected with a suitable firewall as intended.

For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note for classic line controllers.

If the use of an affected controller in protected zones is not suitable OT communication protocols should be disabled. Either by using the CPU services via console or Web-based Management according to the controller type.
Information’s for which controllers and from which firmware version communication protocols can be disabled are described in our application note for classic line controllers or the manual to the respective controller which is available for download at the Phoenix Contact website.

Controller supporting CPU services or WBM for disabling communication protocols:

Article Article Number Minimum firmware version
ILC 1x0 All variants not possible
ILC 1x1 All variants >= FW 4.42
ILC 1x1 GSM/GPRS 2700977 >= FW 4.42
ILC 3xx All variants FW 3.98
AXC 1050 2700988 >= FW 3.01, FW 5.00 (WBM)
AXC 1050 XC 2701295 >= FW 3.01, FW 5.00 (WBM)
AXC 3050 2700989 >= FW 5.60, FW 6.30 (WBM)
RFC 480S PN 4TX 2404577 FW 6.10
RFC 470 PN 3TX 2916600 >= FW 4.20
RFC 470S PN 3TX 2916794 >= FW 4.20
RFC 460R PN 3TX 2700784 >= FW 5.00
RFC 460R PN 3TX-S 1096407 FW 5.30
RFC 430 ETH-IB 2730190 not possible
RFC 450 ETH-IB 2730200 not possible
PC WORX SRT 2701680 not possible
PC WORX RT BASIC 2700291 not possible
FC 350 PCI ETH 2730844 not possible

Reported by

This vulnerability was reported by Sergiu Sechel and re-discovered by Forescout.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.