PHOENIX CONTACT: mGuard < 8.8.3 products missing initialization of resource

For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).


CVE-2020-12523: 5.4

PHOENIX CONTACT: Multiple vulnerabilities in PLCnext Control devices < 2021.0 LTS

Multiple vulnerabilities have been identified in PLCnext Control devices. Please consult the aforementioned CVE-IDs.


CVE-2020-12519: 9.8
CVE-2020-12517: 9.0
CVE-2020-12521: 6.5
CVE-2020-12518: 5.5

PHOENIX CONTACT: BTP Touch Panels uncontrolled resource consumption

Uncontrolled Resource Consumption can be exploited to cause the HMI to become unresponsive and not accurately update the display content (Denial of Service).


CVE-2020-12524: 7.5

PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components

Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.

Phoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html.


CVE-2020-14509: 9.8
CVE-2020-16233: 7.5
CVE-2020-14519: 7.5

PHOENIX CONTACT: Denial-of-Service vulnerabilty in Emalytics, ILC 2050 BI and ILC 2050 BI-L

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart to correct.


CVE-2020-14483: 4.3

PHOENIX CONTACT: Improper path sanitation on import of project files in PLCnext Engineer

The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code.
The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.


CVE-2020-12499: 8.2

PHOENIX CONTACT: Two Vulnerabilities in Automation Worx Suite

Manipulated PC Worx projects could lead to a remote code execution due to insufficient input
data validation.

The attacker needs to get access to an original PC Worx project to be able to manipulate data
inside the project folder. After manipulation the attacker needs to exchange the original files by
the manipulated ones on the application programming workstation.


CVE-2020-12497: 7.8
CVE-2020-12498: 7.8

PHOENIX CONTACT: FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT: PPPD vulnerable to CVE-2020-8597

FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices are affected by a buffer overflow vulnerability within the PPP service.

The PPP service is not active by default, but is used commonly at TC ROUTER, TC CLOUD CLIENT.
It is also running in the following FL MGUARD and TC MGUARD configurations:

• Mobile data connection
• Router mode “Modem”
• Router mode “PPPoE”
• L2TP over IPsec

Malicious PPP peers could try to exploit the vulnerability from remote.


CVE-2020-8597: 9.8

Feeds

Nach Hersteller

Archiv

2024
2023
2022
2021
2020
2019
2018
2017

Legende

(Scoring für CVSS 2.0,3.0+3.1)
keine
Kein CVE verfügbar
Niedrig
0.1 <= 3.9
Mittel
4.0 <= 6.9
Hoch
7.0 <= 8.9
Kritisch
9.0 <= 10.0