PHOENIX CONTACT: TC Router and TC Cloud Client multiple vulnerabilities
VDE-2020-003 (2020-03-05 17:58 UTC+0200)
Affected Vendors
Phoenix Contact
Affected Products
| Article name | Article number | Affected versions |
| TC ROUTER | ||
| TC ROUTER 3002T-4G | 2702528 | <= 2.05.3 |
| TC ROUTER 3002T-4G | 2702530 | <= 2.05.3 |
| TC ROUTER 2002T-3G | 2702529 | <= 2.05.3 |
| TC ROUTER 2002T-3G | 2702531 | <= 2.05.3 |
| TC ROUTER 3002T-4G VZW | 2702532 | <= 2.05.3 |
| TC ROUTER 3002T-4G ATT | 2702533 | <= 2.05.3 |
| TC CLOUD CLIENT | ||
| TC CLOUD CLIENT 1002-4G | 2702886 | <= 2.03.17 |
| TC CLOUD CLIENT 1002-4G VZW | 2702887 | <= 2.03.17 |
| TC CLOUD CLIENT 1002-4G ATT | 2702888 | <= 2.03.17 |
| TC CLOUD CLIENT 1002-TXTX | 2702885 | <= 1.03.17 |
Vulnerability Type
Hardcoded certificate
Summary
CVE-2017-16544
Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
In BusyBox through 1.27.2, the tab auto complete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal.
CVE-2020-9436
Base Score: 7.2
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An authenticated command injection vulnerability can be triggered by issuing a POST request to an CGI program which is available on the web interface.
CVE-2020-9435
Base Score: 9.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
The device contains a hardcoded certificate which can be used to run the web service. Impersonation, man-in-the-middle or passive decryption attacks are possible if the generic certificate is not replaced by a device specific certificate during installation.
Impact
CVE-2017-16544
This Vulnerability could potentially result in code execution, arbitrary file writes, or other attacks.
The impact of this vulnerability on the device is limited because shell access is only possible with administrator privileges.
CVE-2020-9436
An attacker can abuse this vulnerability to compromise the operating system of the device by injecting system commands.
CVE-2020-9435
These attacks could allow an attacker to gain access to sensitive information like admin credentials, configuration parameters or status information and use them in further attacks.
Solution
Mitigation
The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press “renew” to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.
To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.
Remediation
Phoenix Contact strongly recommended to update affected devices to newest Firmware version:
| Article name | Article number | Fixed version | Link |
| TC ROUTER | |||
| TC ROUTER 3002T-4G | 2702528 | 2.05.4 | download |
| TC ROUTER 3002T-4G | 2702530 | 2.05.4 | download |
| TC ROUTER 2002T-3G | 2702529 | 2.05.4 | download |
| TC ROUTER 2002T-3G | 2702531 | 2.05.4 | download |
| TC ROUTER 3002T-4G VZW | 2702532 | 2.05.4 | download |
| TC ROUTER 3002T-4G ATT | 2702533 | 2.05.4 | download |
| TC CLOUD CLIENT | |||
| TC CLOUD CLIENT 1002-4G | 2702886 | 2.03.18 | download |
| TC CLOUD CLIENT 1002-4G VZW | 2702887 | 2.03.18 | download |
| TC CLOUD CLIENT 1002-4G ATT | 2702888 | 2.03.18 | download |
| TC CLOUD CLIENT 1002-TXTX | 2702885 | 1.03.18 | download |
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall.
Reported by
This vulnerability was discovered and reported by Thomas Weber, SEC Consult Vulnerability Lab.
Phoenix Contact reported the vulnerability to CERT@VDE.
