Share: Email | Twitter

ID

VDE-2019-014

Published

2019-06-19 14:41 (CEST)

Last update

2020-02-18 12:25 (CET)

Vendor(s)

PHOENIX CONTACT

Product(s)

PC Worx
PC Worx Express
Config +

with Automationworx Software Suite version 1.86 and earlier

Summary

A manipulated PC Worx or Config+ project file could lead to a remote code execution.
The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation the attacker needs to exchange the original file by the manipulated one on the application programming workstation.

Vulnerabilities



Weakness
Access of Uninitialized Pointer (CWE-824)
Summary
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead ...
Weakness
Use After Free (CWE-416)
Summary
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead ...
Weakness
Out-of-bounds Read (CWE-125)
Summary
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead ...

Impact

Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.

Solution

Temporary Fix / Mitigation

We strongly recommend customers to exchange project files only using secure file exchange services.
Project files should not be exchanged via unencrypted email.

Remediation

With the next version of Automationworx Software Suite the following measures will be implemented:

The zlib component will be updated to the latest version (1.2.11.0). By utilizing the latest version of zlib a manipulated BCP file is detected as corrupt. The unpacking operation is aborted and therefor the remote code execution is precluded.
The validation of input data will be improved.
Objects in the affected software components will be completely initialized.
Further 3rd party components will be checked for known vulnerabilities and will be exchanged or updated if required.
General preventive security measures will be implemented such as address space layout randomization.

Reported by

The vulnerabilities were discovered by 9sg Security Team.
Reported through Zerodayinitiative.
Coordinated by NCCIC and CERT@VDE.