PHOENIX CONTACT: Multiple vulnerabilities in PLCnext Control devices
VDE-2020-049 (2020-12-17 10:00 UTC+0100)
Affected Vendors
PHOENIX CONTACT
Affected Products
Article no | Article | Affected versions | Fixed version |
1151412 | AXC F 1152 | < 2021.0 LTS | Download |
2404267 | AXC F 2152 | < 2021.0 LTS | Download |
1069208 | AXC F 3152 | < 2021.0 LTS | Download |
1051328 | RFC 4072S | < 2021.0 LTS | Download |
1046568 | AXC F 2152 Starterkit | < 2021.0 LTS | Download |
1188165 | PLCnext Technology Starterkit | < 2021.0 LTS | Download |
Vulnerability Type
Improper Neutralization of Input (CWE-79)
Summary
Multiple vulnerabilities have been identified in PLCnext Control devices. Please consult section "Impact" for details.
Impact
CVE-ID: CVE-2020-12517
CWE: Improper Neutralization of Input (XSS) (CWE-79)
CVSS: 8.8 (CVSS3.0:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description:An authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).
CVE-ID: CVE-2020-12518
CWE: Exposure of Sensitive Information (CWE-200)
CVSS: 5.5 (CVSS3.0:AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Description: An attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks.
CVE-ID: CVE-2020-12519
CWE: Improper Privilege Management (CWE-269)
CVSS: 8.8 (CVSS3.0:AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Description: An attacker can use this vulnerability i.e. to open a reverse shell with root privileges.
CVE-ID: CVE-2020-12521
CWE: Improper Input Validation (CWE-20)
CVSS: 6.5 (CVSS3.0:AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: A specially crafted LLDP packet may lead to a high system load in the PROFINET stack. An attacker can cause failure of system services or a complete reboot.
Solution
Phoenix Contact recommends affected users to upgrade to the current Firmware 2021.0 LTS or higher which fixes these vulnerabilities.
Mitigation/Temporary Fix
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection (PDF)
Reported by
The vulnerabilities CVE-2020-12517,-12518 and CVE-2020-12519 were discovered by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul and Daniel Hackel of SVA Systemvertrieb Alexander GmbH.
CERT@VDE coordinated.