PHOENIX CONTACT : Security Advisory for PLCNext, SMARTRTU AXC, CHARX control modular and EEM-SB37x

At Pengutronix RAUC update client prior to version 1.5 a Time-of-Check Time-of-Use vulnerability was discovered. A vulnerable RAUC version is used in the current firmware of the products listed below.

VDE-2021-024 (2021-06-23 14:15 UTC+0200)

CVE Identifier

CVE-2020-25860

Affected Vendors

Phoenix Contact

Affected Products

Product number Product name Firmware version
1151412 AXC F 1152 <= 2021.0 LTS
2404267 AXC F 2152
1069208 AXC F 3152
1051328 RFC 4072S
1046568 AXC F 2152 Starterkit
1188165 PLCnext Technology Starterkit
1110435 SMARTRTU AXC SG <= V1.6.0.1
1264328 SMARTRTU AXC IG <= V1.0.0.0
1264327 ENERGY AXC PU <= V4.10.0.0
1158951 EEM-SB370-C <= 2021.02.01
1158947 EEM-SB371-C
1139022 CHARX control modular 3000 <= V1.0.11
1139022 CHARX control modular 3050
1139012 CHARX control modular 3100
1138965 CHARX control modular 3150

Summary

The vulnerability is a Time-of-Check-Time-of-Use (CWE-367) issue which allows an attacker with access to the firmware update file to overwrite it after it has been verified (but before installation is completed), which consequently allows installing an arbitrary firmware update, bypassing the cryptographic signature check mechanism.

Impact

An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list below, which fixes this vulnerability.
For EEM-SB370, EEM-SB371 and CHARX control modular the fix will be available until end of Q3 2021. This advisory will be updated as soon the fix is available.

Product number Product name Fixed Version
1151412 AXC F 1152 2021.0.5 LTS
2404267 AXC F 2152 2021.0.5 LTS
1069208 AXC F 3152 2021.0.5 LTS
1051328 RFC 4072S 2021.0.5 LTS
1046568 AXC F 2152 Starterkit 2021.0.5 LTS
1188165 PLCnext Technology Starterkit 2021.0.5 LTS
1110435 SMARTRTU AXC SG End of Q3 2021
1264328 SMARTRTU AXC IG
1264327 ENERGY AXC PU
1158951 EEM-SB370-C
1158947 EEM-SB371-C
1139022 CHARX control modular 3000
1139022 CHARX control modular 3050
1139012 CHARX control modular 3100
1138965 CHARX control modular 3150

Reported by

This vulnerability was discovered and reported to Pengutronix by Vdoo.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.