PHOENIX CONTACT Emalytics Controller ILC 2050 BI(L) allows unauthorised read and write access to the configuration file.

VDE-2020-001 (2020-02-17 10:10 UTC+0200)

CVE Identifier

CVE-2020-8768

Affected Vendors

PHOENIX CONTACT

Affected Products

Article Article number Version
ILC 2050 BI 2403160 < 1.2.3
ILC 2050 BI-L 2404671 < 1.2.3

Vulnerability Type

CWE-732: Incorrect Permission Assignment for Critical Resource

Summary

Phoenix Contact Emalytics Controller ILC 2050 BI are developed and designed for the use in protected building automation networks.
An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. There is an insecure mechanism for read and write access to the configuration of the device. The mechanism can be discovered by examining a link on the website of the device.

Impact

If the above-mentioned controllers are used in an unprotected, open network, an unauthorized attacker can change the device configuration and start or stop services.

Solution

Phoenix Contact strongly recommends affected users to update to Engineering software Emalytics 1.2.3 or higher and recommission the controllers.

Please note: If this is not possible, please contact us via email at 
development.sysmik@phoenixcontact.com
so that we can provide you with a fixed version.

The updated version is available on the vendors product page

Filename: Emalytics_Setup_1.2.3.zip
SHA-256: cf24d29f408cc80c3e9bf09234a9469bb2b2d01d832e9136ed75cae6b48df293

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY “Measures to protect network-capable devices with Ethernet connection against unauthorized access”

Reported by

PHOENIX CONTACT reported this to CERT@VDE