Share: Email | Twitter

ID

VDE-2020-003

Published

2020-03-05 16:58 (CET)

Last update

2020-04-14 11:36 (CEST)

Vendor(s)

PHOENIX CONTACT

Product(s)

Article Article number Version
TC ROUTER
TC ROUTER 3002T-4G 2702528 <= 2.05.3
TC ROUTER 3002T-4G 2702530 <= 2.05.3
TC ROUTER 2002T-3G 2702529 <= 2.05.3
TC ROUTER 2002T-3G 2702531 <= 2.05.3
TC ROUTER 3002T-4G VZW 2702532 <= 2.05.3
TC ROUTER 3002T-4G ATT 2702533 <= 2.05.3
TC CLOUD CLIENT
TC CLOUD CLIENT 1002-4G 2702886 <= 2.03.17
TC CLOUD CLIENT 1002-4G VZW 2702887 <= 2.03.17
TC CLOUD CLIENT 1002-4G ATT 2702888 <= 2.03.17
TC CLOUD CLIENT 1002-TXTX 2702885 <= 1.03.17

Summary

Multiple Vulnerabilities exist in components used by the aforementioned products. See CVE-Details for more information.

Vulnerabilities



Weakness
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize ...
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, ...

Weakness
Use of Hard-coded Credentials (CWE-798)
Summary
PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, ...

Impact

CVE-2017-16544
This Vulnerability could potentially result in code execution, arbitrary file writes, or other attacks.
The impact of this vulnerability on the device is limited because shell access is only possible with administrator privileges.

CVE-2020-9436
An attacker can abuse this vulnerability to compromise the operating system of the device by injecting system commands.

CVE-2020-9435
These attacks could allow an attacker to gain access to sensitive information like admin credentials, configuration parameters or status information and use them in further attacks.

Solution

Mitigation

The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press “renew” to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.

To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.

Remediation

Phoenix Contact strongly recommended to update affected devices to newest Firmware version:

Article name Article number Fixed version Link
TC ROUTER
TC ROUTER 3002T-4G 2702528 2.05.4 download
TC ROUTER 3002T-4G 2702530 2.05.4 download
TC ROUTER 2002T-3G 2702529 2.05.4 download
TC ROUTER 2002T-3G 2702531 2.05.4 download
TC ROUTER 3002T-4G VZW 2702532 2.05.4 download
TC ROUTER 3002T-4G ATT 2702533 2.05.4 download
TC CLOUD CLIENT
TC CLOUD CLIENT 1002-4G 2702886 2.03.18 download
TC CLOUD CLIENT 1002-4G VZW 2702887 2.03.18 download
TC CLOUD CLIENT 1002-4G ATT 2702888 2.03.18 download
TC CLOUD CLIENT 1002-TXTX 2702885 1.03.18 download

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall.

Reported by

This vulnerability was discovered and reported by Thomas Weber, SEC Consult Vulnerability Lab.
Phoenix Contact reported the vulnerability to CERT@VDE.