Share: Email | Twitter

ID

VDE-2020-026

Published

2020-08-20 09:11 (CEST)

Last update

2020-10-06 12:41 (CEST)

Vendor(s)

PHOENIX CONTACT

Product(s)

Article Number
Product
Affected Versions

2403160

ILC 2050 BI

<= 1.3.0

2404671

ILC 2050 BI-L

<= 1.3.0

Emalytics Automation Workbench N4

<= 1.3.0

Summary

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart to correct.


Weakness

Synchronous Access of Remote Resource without Timeout  (CWE-1088) 

Summary

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to correct.


Impact

Successful exploitation of this vulnerability could result in a denial-of-service condition.

Solution

Mitigation

Phoenix Contact recommends customers with affected products take the following steps to protect themselves:

• Review and validate the list of users who are authorized and who can authenticate to Emalytics.

• Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:

Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY “Measures to protect network-capable devices with Ethernet connection against unauthorized access”

Remedation

This vulnerability will be fixed in the regular firmware release (v.1.4.0) which is expected to be available October 2020.

Reported by

Honeywell reported this vulnerability to CISA.