|Article No°||Product Name||Affected Version(s)|
|1175941||PROFINET SDK||<= 6.6|
Two vulnerabilities have been discovered in the Expat XML parser library (aka libexpat). This open-source component is widely used in a lot of products worldwide. An attacker could cause a program to crash, use unexpected values or execute code by exploiting these use-after-free vulnerabilities.
Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack might
be compromised by attacks exploit these vulnerabilities.
Depending on the instantiation and timing of the defect, using previously freed memory might result in a variety of negative effects, from the corruption of valid data to the execution of arbitrary code. In the default installation a vulnerable libexpat is present, but it may have been replaced in the toolchain itself.
Temporary Fix / Mitigation
We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.
For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.