Share: Email | Twitter

ID

VDE-2020-001

Published

2020-02-17 09:10 (CET)

Last update

2020-02-17 09:10 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2403160 ILC 2050 BI < 1.2.3
2404671 ILC 2050 BI-L < 1.2.3

Summary

Phoenix Contact Emalytics Controller ILC 2050 BI are developed and designed for the use in protected building automation networks.
An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. There is an insecure mechanism for read and write access to the configuration of the device. The mechanism can be discovered by examining a link on the website of the device.


Last Update:

Feb. 19, 2020, 8:54 a.m.

Weakness

Incorrect Permission Assignment for Critical Resource  (CWE-732) 

Summary

Phoenix Contact Emalytics Controller ILC 2050 BI are developed and designed for the use in protected building automation networks.
An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. There is an insecure mechanism for read and write access to the configuration of the device. The mechanism can be discovered by examining a link on the website of the device.

Impact

If the above-mentioned controllers are used in an unprotected, open network, an unauthorized attacker can change the device configuration and start or stop services.

Solution

Phoenix Contact strongly recommends affected users to update to Engineering software Emalytics 1.2.3 or higher and recommission the controllers.

Please note: If this is not possible, please contact us via email at
development.sysmik@phoenixcontact.com
so that we can provide you with a fixed version.

The updated version is available on the vendors' product page

Filename: Emalytics_Setup_1.2.3.zip
SHA-256: cf24d29f408cc80c3e9bf09234a9469bb2b2d01d832e9136ed75cae6b48df293


Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:

Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY “Measures to protect network-capable devices with Ethernet connection against unauthorized access”

Reported by

PHOENIX CONTACT reported this to CERT@VDE