Share: Email | Twitter

ID

VDE-2021-024

Published

2021-06-23 14:18 (CEST)

Last update

2021-06-23 14:18 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1151412 AXC F 1152 <= 2021.0 LTS
2404267 AXC F 2152 <= 2021.0 LTS
1046568 AXC F 2152 Starterkit <= 2021.0 LTS
1069208 AXC F 3152 <= 2021.0 LTS
1139022 CHARX control modular 3000 <= V1.0.11
1139022 CHARX control modular 3050 <= V1.0.11
1139012 CHARX control modular 3100 <= V1.0.11
1138965 CHARX control modular 3150 <= V1.0.11
1158951 EEM-SB370-C <= 2021.02.01
1158947 EEM-SB371-C <= 2021.02.01
1264327 ENERGY AXC PU <= V4.10.0.0
1188165 PLCnext Technology Starterkit <= 2021.0 LTS
1051328 RFC 4072S <= 2021.0 LTS
1264328 SMARTRTU AXC IG <= V1.0.0.0
1110435 SMARTRTU AXC SG <= V1.6.0.1

Summary

The vulnerability is a Time-of-Check-Time-of-Use (CWE-367) issue which allows an attacker with access to the firmware update file to overwrite it after it has been verified (but before installation is completed), which consequently allows installing an arbitrary firmware update, bypassing the cryptographic signature check mechanism.


Weakness

Time-of-check Time-of-use (TOCTOU) Race Condition  (CWE-367) 

Summary

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.


Impact

An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list below, which fixes this vulnerability.
For EEM-SB370, EEM-SB371 and CHARX control modular the fix will be available until end of Q3 2021. This advisory will be updated as soon the fix is available.

Product number Product name Fixed Version
1151412 AXC F 1152 2021.0.5 LTS
2404267 AXC F 2152 2021.0.5 LTS
1069208 AXC F 3152 2021.0.5 LTS
1051328 RFC 4072S 2021.0.5 LTS
1046568 AXC F 2152 Starterkit 2021.0.5 LTS
1188165 PLCnext Technology Starterkit 2021.0.5 LTS
1110435 SMARTRTU AXC SG End of Q3 2021
1264328 SMARTRTU AXC IG
1264327 ENERGY AXC PU
1158951 EEM-SB370-C
1158947 EEM-SB371-C
1139022 CHARX control modular 3000
1139022 CHARX control modular 3050
1139012 CHARX control modular 3100
1138965 CHARX control modular 3150

Reported by

This vulnerability was discovered and reported to Pengutronix by Vdoo.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.