PHOENIX CONTACT: Denial-of-Service vulnerabilty in Emalytics, ILC 2050 BI and ILC 2050 BI-L

PHOENIX CONTACT: Denial-of-Service vulnerabilty in Emalytics, ILC 2050 BI and ILC 2050 BI-L

VDE-2020-026 (2020-08-20 09:11 UTC+0200)

CVE Identifier

CVE-2020-14483

Affected Vendors

PHOENIX CONTACT

Affected Products

Product Article Number Affected Versions
ILC 2050 BI 2403160 <= 1.3.0
ILC 2050 BI-L 2404671 <= 1.3.0
Emalytics Automation Workbench N4 <= 1.3.0

Vulnerability Type

Synchronous Access of Remote Resource without Timeout (CWE-1088)

Summary

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart to correct.

Impact

Successful exploitation of this vulnerability could result in a denial-of-service condition.

Solution

Mitigation

Phoenix Contact recommends customers with affected products take the following steps to protect themselves:

• Review and validate the list of users who are authorized and who can authenticate to Emalytics.

• Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:


Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY “Measures to protect network-capable devices with Ethernet connection against unauthorized access”


Remedation

This vulnerability will be fixed in the regular firmware release (v.1.4.0) which is expected to be available October 2020.

Reported by

Honeywell reported this vulnerability to CISA