Share: Email | Twitter

ID

VDE-2020-003

Published

2020-03-05 16:58 (CET)

Last update

2020-03-05 16:58 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2702886 TC CLOUD CLIENT 1002-4G <= 2.03.17
2702888 TC CLOUD CLIENT 1002-4G ATT <= 2.03.17
2702887 TC CLOUD CLIENT 1002-4G VZW <= 2.03.17
2702885 TC CLOUD CLIENT 1002-TXTX <= 1.03.17
2702529 TC ROUTER 2002T-3G <= 2.05.3
2702531 TC ROUTER 2002T-3G <= 2.05.3
2702528 TC ROUTER 3002T-4G <= 2.05.3
2702530 TC ROUTER 3002T-4G <= 2.05.3
2702533 TC ROUTER 3002T-4G ATT <= 2.05.3
2702532 TC ROUTER 3002T-4G VZW <= 2.05.3

Summary

Multiple Vulnerabilities exist in components used by the aforementioned products. See CVE-Details for more information.

Vulnerabilities



Last Update
18. Februar 2020 09:23
Weakness
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
Last Update
6. April 2020 09:47
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices allow authenticated users to inject system commands through a modified POST request to a specific URL.

Last Update
6. April 2020 09:47
Weakness
Use of Hard-coded Credentials (CWE-798)
Summary
PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation.

Impact

CVE-2017-16544
This Vulnerability could potentially result in code execution, arbitrary file writes, or other attacks.
The impact of this vulnerability on the device is limited because shell access is only possible with administrator privileges.

CVE-2020-9436
An attacker can abuse this vulnerability to compromise the operating system of the device by injecting system commands.

CVE-2020-9435
These attacks could allow an attacker to gain access to sensitive information like admin credentials, configuration parameters or status information and use them in further attacks.

Solution

Mitigation

The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press “renew” to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.

To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.

Remediation

Phoenix Contact strongly recommended to update affected devices to newest Firmware version:

Article name Article number Fixed version Link
TC ROUTER
TC ROUTER 3002T-4G 2702528 2.05.4 download
TC ROUTER 3002T-4G 2702530 2.05.4 download
TC ROUTER 2002T-3G 2702529 2.05.4 download
TC ROUTER 2002T-3G 2702531 2.05.4 download
TC ROUTER 3002T-4G VZW 2702532 2.05.4 download
TC ROUTER 3002T-4G ATT 2702533 2.05.4 download
TC CLOUD CLIENT
TC CLOUD CLIENT 1002-4G 2702886 2.03.18 download
TC CLOUD CLIENT 1002-4G VZW 2702887 2.03.18 download
TC CLOUD CLIENT 1002-4G ATT 2702888 2.03.18 download
TC CLOUD CLIENT 1002-TXTX 2702885 1.03.18 download

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall.

Reported by

This vulnerability was discovered and reported by Thomas Weber, SEC Consult Vulnerability Lab.
Phoenix Contact reported the vulnerability to CERT@VDE.