Share: Email | Twitter

ID

VDE-2021-025

Published

2021-06-23 14:19 (CEST)

Last update

2021-06-23 14:19 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1221706 CLOUD CLIENT 1101T-TX/TX < 2.06.5
1234355 CLOUD CLIENT 2002T-4G EU <= 4.5.72.100
1234360 CLOUD CLIENT 2002T-WLAN <= 4.5.72.100
1234357 CLOUD CLIENT 2102T-4G EU WLAN <= 4.5.72.100
1264327 ENERGY AXC PU <= V4.10.0.0
2403160 ILC 2050 BI <= 1.5.1
2404671 ILC 2050 BI-L <= 1.5.1
1264328 SMARTRTU AXC IG <= V1.0.0.0
1110435 SMARTRTU AXC SG <= V1.6.0.1
2702529 TC ROUTER 2002T-3G < 2.06.5
2702531 TC ROUTER 2002T-3G < 2.06.5
2702528 TC ROUTER 3002T-4G < 2.06.5
2702530 TC ROUTER 3002T-4G < 2.06.5
2702533 TC ROUTER 3002T-4G ATT < 2.06.5
2702532 TC ROUTER 3002T-4G VZW < 2.06.5
1234352 TC ROUTER 4002T-4G EU <= 4.5.72.100
1234353 TC ROUTER 4102T-4G EU WLAN <= 4.5.72.100
1234354 TC ROUTER 4202T-4G EU WLAN <= 4.5.72.100

Summary

A Denial of Service and a CA Check Problem have been identified in multiple openSSL 1.1.1 versions, which are utilized in the Phoenix Contact products listed above.

Vulnerabilities



Last Update
7. Juli 2021 13:22
Weakness
Improper Certificate Validation (CWE-295)
Summary
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
Last Update
7. Juli 2021 13:22
Weakness
NULL Pointer Dereference (CWE-476)
Summary
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Impact

Note: ILC 20250 is only affected by CVE-2021-3449

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list of affected products, which fixes this vulnerability.
A fix for ILC 2050, and some TC ROUTER and CLOUD CLIENT devices will be available end of Q2 2021. This advisory will be updated as soon as the fixes are available for download.

Product number Product name Fixed Version
1151412 AXC F 1152 2021.0.5 LTS
2404267 AXC F 2152 2021.0.5 LTS
1069208 AXC F 3152 2021.0.5 LTS
1051328 RFC 4072S 2021.0.5 LTS
1046568 AXC F 2152 Starterkit 2021.0.5 LTS
1188165 PLCnext Technology Starterkit 2021.0.5 LTS
2981974 FL MGUARD DM UNLIMITED 1.13
2702528 TC ROUTER 3002T-4G 2.06.5
2702529 TC ROUTER 2002T-3G 2.06.5
2702530 TC ROUTER 3002T-4G 2.06.5
2702531 TC ROUTER 2002T-3G 2.06.5
2702532 TC ROUTER 3002T-4G VZW 2.06.5
2702533 TC ROUTER 3002T-4G ATT 2.06.5
1221706 CLOUD CLIENT 1101T-TX/TX 2.06.5
1234352 TC ROUTER 4002T-4G EU End of Q2 2021
1234353 TC ROUTER 4102T-4G EU WLAN
1234354 TC ROUTER 4202T-4G EU WLAN
1234355 CLOUD CLIENT 2002T-4G EU
1234360 CLOUD CLIENT 2002T-WLAN
1234357 CLOUD CLIENT 2102T-4G EU WLAN
2403160 ILC 2050 BI
2404671 ILC 2050 BI-L
1110435 SMARTRTU AXC SG
1264328 SMARTRTU AXC IG
1264327 ENERGY AXC PU

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.