Share: Email | Twitter

ID

VDE-2021-032

Published

2021-08-04 09:57 (CEST)

Last update

2021-09-07 16:13 (CEST)

Vendor(s)

PHOENIX CONTACT

Product(s)

Article no Article Affected versions
2700973, 2700974,
2700975, 2700976,
2701034, 2701141
ILC1x1 All firmware versions
All variants ILC1x0 All firmware versions
2700988, 2701295 AXC 1050 All firmware versions
1624130 EV-PLCC-AC1-DC1 All firmware versions

Summary

Third party Niche Ethernet stack has several vulnerabilities announced by the security researcher’s community.
Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a Denial of Service or a Breach of Integrity of the PLC.

Vulnerabilities



Weakness
Use of Insufficiently Random Values (CWE-330)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, ...

Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in tcp_rcv() in nptcp.c in HCC embedded InterNiche 4.0.1. The TCP header processing code doesn't sanitize the value of the IP total length field (header length ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An issue was discovered in HCC embedded InterNiche 4.0.1. A potential heap buffer overflow exists in the code that parses the HTTP POST request, due to an incorrect signed integer ...

Weakness
Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)
Summary

An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. The TCP out-of-band urgent-data processing function invokes a panic function if the pointer to the end of ...

Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to ...

Weakness
Improper Input Validation (CWE-20)
Summary

An issue was discovered in HCC Nichestack 3.0. The code that parses ICMP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to ...

Impact

A successful attack to the Niche Ethernet stack can lead to Denial of Service or a Breach of Integrity of the PLC.

Solution

Temporary Fix / Mitigation
Customers using Phoenix Contact Classic Line Controllers are strongly recommended to operate the devices in closed networks or protected with a suitable firewall as intended. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation
Phoenix Contact Classic Line Controllers are designed and developed for the use in closed industrial networks. The control and configuration protocols do not feature authentication mechanisms by design. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Phoenix Contact is offering the mGuard product family for network segmentation and protection.

Reported by

This vulnerability was discovered and reported by Forescout Technologies, Inc.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.