Share: Email | Twitter

ID

VDE-2021-032

Published

2021-08-04 09:57 (CEST)

Last update

2021-08-04 09:57 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
2700988 AXC 1050 all versions
2701295 AXC 1050 all versions
1624130 EV-PLCC-AC1-DC1 all versions
ILC1x0 all versions
2700973 ILC1x1 all versions
2700974 ILC1x1 all versions
2700975 ILC1x1 all versions
2700976 ILC1x1 all versions
2701034 ILC1x1 all versions
2701141 ILC1x1 all versions

Summary

Third party Niche Ethernet stack has several vulnerabilities announced by the security researcher’s community.
Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a Denial of Service or a Breach of Integrity of the PLC.

Vulnerabilities



Last Update
Sept. 7, 2021, 12:10 p.m.
Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)

Last Update
Sept. 7, 2021, 12:09 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1. The TCP header processing code doesn't sanitize the value of the IP total length field (header length + data length). With a crafted IP packet, an integer overflow occurs whenever the value of the IP data length is calculated by subtracting the length of the header from the total length of the IP packet.

Last Update
Sept. 7, 2021, 12:09 p.m.
Weakness
Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)
Summary

An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. The TCP out-of-band urgent-data processing function invokes a panic function if the pointer to the end of the out-of-band data points outside of the TCP segment's data. If the panic function hadn't a trap invocation removed, it will enter an infinite loop and therefore cause DoS (continuous loop or a device reset).

Last Update
Sept. 7, 2021, 12:10 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the length of the TCP payload within the TCP checksum computation function. When the IP payload size is set to be smaller than the size of the IP header, the TCP checksum computation function may read out of bounds (a low-impact write-out-of-bounds is also possible).

Last Update
Sept. 7, 2021, 12:10 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses ICMP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the ICMP checksum. When the IP payload size is set to be smaller than the size of the IP header, the ICMP checksum computation function may read out of bounds, causing a Denial-of-Service.

Last Update
Sept. 7, 2021, 12:09 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

An issue was discovered in HCC embedded InterNiche 4.0.1. A potential heap buffer overflow exists in the code that parses the HTTP POST request, due to an incorrect signed integer comparison. This vulnerability requires the attacker to send a malformed HTTP packet with a negative Content-Length, which bypasses the size checks and results in a large heap overflow in the wbs_multidata buffer copy.

Impact

A successful attack to the Niche Ethernet stack can lead to Denial of Service or a Breach of Integrity of the PLC.

Solution

Temporary Fix / Mitigation
Customers using Phoenix Contact Classic Line Controllers are strongly recommended to operate the devices in closed networks or protected with a suitable firewall as intended. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation
Phoenix Contact Classic Line Controllers are designed and developed for the use in closed industrial networks. The control and configuration protocols do not feature authentication mechanisms by design. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Phoenix Contact is offering the mGuard product family for network segmentation and protection.

Reported by

This vulnerability was discovered and reported by Forescout Technologies, Inc.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.