Share: Email | Twitter

ID

VDE-2022-010

Published

2022-04-12 08:00 (CEST)

Last update

2022-04-28 15:30 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1151412 AXC F 1152 < 2022.0.3 LTS
2404267 AXC F 2152 < 2022.0.3 LTS
1069208 AXC F 3152 < 2022.0.5 LTS
1051328 RFC 4072 < 2022.0.5 LTS

Summary

PLCnext Control AXC F x152 is certified according to IEC 62443-4-1 and IEC 62443-4-2.
This certification requires that all third-party components used in the firmware are regularly checked for known vulnerabilities.

Firmware components in version 2021.06 had already been updated. For the 2022.0 LTS version more firmware components have been updated implicitly fixing the vulnerabilities listed. The vulnerabilities listed above have not been individually verified in terms of actual impact and/or limitations in combination with the affected products listed. The current LTS release 2022.0 LTS contains updates of integrated third-party libraries, SDKs and other third-party software to address these issues nevertheless.

UPDATE A (April 4th, 2022): Added RFC 4072 (Art. No. 1051328) and fixed affected version of AXC F 3152 

Vulnerabilities



Weakness
Use After Free (CWE-416)
Summary

A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.

Weakness
Use After Free (CWE-416)
Summary

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Weakness
Off-by-one Error (CWE-193)
Summary

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially ...

Weakness
Improper Authentication (CWE-287)
Summary

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, ...

Weakness
Use After Free (CWE-416)
Summary

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

Weakness
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Summary

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply ...

Weakness
Integer Underflow (Wrap or Wraparound) (CWE-191)
Summary

An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a ...

Weakness
Improper Certificate Validation (CWE-295)
Summary

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any ...

Weakness
Improper Check for Dropped Privileges (CWE-273)
Summary

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Weakness
Improper Input Validation (CWE-20)
Summary

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash ...

Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Weakness
NULL Pointer Dereference (CWE-476)
Summary

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, ...

Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Weakness
Improper Input Validation (CWE-20)
Summary

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Weakness
Missing Cryptographic Step (CWE-325)
Summary

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command ...

Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

Weakness
Business Logic Errors (CWE-840)
Summary

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is ...

Weakness
Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Summary

Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such ...

Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed ...

Weakness
Authentication Bypass by Primary Weakness (CWE-305)
Summary

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger ...

Weakness
Out-of-bounds Read (CWE-125)
Summary

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal ...

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function

Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function

Weakness
Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
Summary

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

Weakness
Double Free (CWE-415)
Summary

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but ...

Weakness
NULL Pointer Dereference (CWE-476)
Summary

Null Pointer Dereference vulnerability in OPC UA products

Source
Beckhoff 
Weakness
Business Logic Errors (CWE-840)
Summary

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the ...

Weakness
NULL Pointer Dereference (CWE-476)
Summary

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document ...

Weakness
Cryptographic Issues (CWE-310)
Summary

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send ...

Weakness
Out-of-bounds Read (CWE-125)
Summary

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption ...

Weakness
Business Logic Errors (CWE-840)
Summary

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel ...

Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for ...

Weakness
Summary

** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test ...

Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then ...

Weakness
Out-of-bounds Read (CWE-125)
Summary

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

Weakness
Reachable Assertion (CWE-617)
Summary

The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path ...

Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due ...

Impact

Availability, integrity, or confidentiality of the AXC F x152 might be compromised by attacks using these vulnerabilities. Please consult the CVE-IDs for vulnerability details.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection

Remediation

  • Update to Firmware Release 2022.0.3 LTS or higher:
    • AXC F 2152 (2404267) download
    • AXC F 1152 (1151412) download
    • AXC F 3152 (1069208) Not yet released
  • Update to PLCnext Engineer Release 2022.0.1 LTS or higher.

Please check the PHOENIX CONTACT PSIRT webpage for further updates of this advisory.

Reported by

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.