PHOENIX CONTACT : Security Advisory for PLCNext, ILC 2050 BI, FL MGUARD DM UNLIMITED, TC ROUTER und CLOUD CLIENT products

A Denial of Service and a CA Check Problem have been identified in multiple openSSL 1.1.1 versions, which are utilized in the Phoenix Contact products listed below.

VDE-2021-025 (2021-06-23 14:15 UTC+0200)

Affected Vendors

Phoenix Contact

Affected Products

Product number Product name Firmware version Fixed Version
1151412 AXC F 1152 <= 2021.0 LTS 2021.0.5 LTS
2404267 AXC F 2152 2021.0.5 LTS
1069208 AXC F 3152 2021.0.5 LTS
1051328 RFC 4072S 2021.0.5 LTS
1046568 AXC F 2152 Starterkit 2021.0.5 LTS
1188165 PLCnext Technology Starterkit 2021.0.5 LTS
2981974 FL MGUARD DM UNLIMITED <= 1.12 1.13
2702528 TC ROUTER 3002T-4G <= 2.06.3 2.06.5
2702529 TC ROUTER 2002T-3G 2.06.5
2702530 TC ROUTER 3002T-4G 2.06.5
2702531 TC ROUTER 2002T-3G 2.06.5
2702532 TC ROUTER 3002T-4G VZW 2.06.5
2702533 TC ROUTER 3002T-4G ATT 2.06.5
1221706 CLOUD CLIENT 1101T-TX/TX <= 2.06.4 2.06.5
1234352 TC ROUTER 4002T-4G EU <= 4.5.72.100 End of Q2 2021
1234353 TC ROUTER 4102T-4G EU WLAN
1234354 TC ROUTER 4202T-4G EU WLAN
1234355 CLOUD CLIENT 2002T-4G EU
1234360 CLOUD CLIENT 2002T-WLAN
1234357 CLOUD CLIENT 2102T-4G EU WLAN
2403160 ILC 2050 BI <= 1.5.1
2404671 ILC 2050 BI-L
1110435 SMARTRTU AXC SG <= V1.6.0.1
1264328 SMARTRTU AXC IG <= V1.0.0.0
1264327 ENERGY AXC PU <= V4.10.0.0

Summary

CVE-ID: CVE-2021-3449
CWE-ID: CWE-476
CVSS: 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Description: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client (CWE-476).

CVE-ID: CVE-2021-3450
CWE-ID: CWE-295
CVSS: 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Description: An error in the implementation of an additional security check of the certificates present in a certificate chain may cause an override situation that leads to a failed certificate check (CWE-295).

Impact

CVE-2021-3449: A malicious Attacker could use this vulnerability to execute a denial-of-service attack against services utilizing openSSL.

CVE-2021-3450: In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate

Note: ILC 20250 is only affected by CVE-2021-3449

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list of affected products, which fixes this vulnerability.
A fix for ILC 2050, and some TC ROUTER and CLOUD CLIENT devices will be available end of Q2 2021. This advisory will be updated as soon as the fixes are available for download.

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.