PHOENIX CONTACT: Denial-of-Service vulnerabilty in Emalytics, ILC 2050 BI and ILC 2050 BI-L
VDE-2020-026 (2020-08-20 08:11 UTC+0100)
CVE Identifier
CVE-2020-14483Affected Vendors
PHOENIX CONTACT
Affected Products
Product | Article Number | Affected Versions |
ILC 2050 BI | 2403160 | <= 1.3.0 |
ILC 2050 BI-L | 2404671 | <= 1.3.0 |
Emalytics Automation Workbench N4 | <= 1.3.0 |
Vulnerability Type
Synchronous Access of Remote Resource without Timeout (CWE-1088)
Summary
A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart to correct.
Impact
Successful exploitation of this vulnerability could result in a denial-of-service condition.
Solution
Mitigation
Phoenix Contact recommends customers with affected products take the following steps to protect themselves:
• Review and validate the list of users who are authorized and who can authenticate to Emalytics.
• Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Remedation
This vulnerability will be fixed in the regular firmware release (v.1.4.0) which is expected to be available October 2020.
Reported by
Honeywell reported this vulnerability to CISA