Share: Email | Twitter

ID

VDE-2022-005

Published

2022-03-30 09:30 (CEST)

Last update

2022-03-30 09:30 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1175941 PROFINET SDK 6.0 < 6.6

Summary

Several vulnerabilities have been discovered in the Expat XML parser library (aka libexpat).
This open-source component is widely used in a lot of products worldwide.
A remote, anonymous attacker could use an integer overflow to execute arbitrary program code when loading specially crafted XML files.

Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).

Vulnerabilities



Last Update
March 7, 2022, 11:41 a.m.
Weakness
Exposure of Resource to Wrong Sphere (CWE-668)
Summary

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

Last Update
March 7, 2022, 11:40 a.m.
Weakness
Improper Encoding or Escaping of Output (CWE-116)
Summary

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Last Update
Feb. 25, 2022, 7:58 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Last Update
Nov. 17, 2022, 1:09 p.m.
Weakness
Incorrect Calculation (CWE-682)
Summary

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Last Update
Feb. 25, 2022, 7:54 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Last Update
Feb. 25, 2022, 8:20 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Last Update
Feb. 25, 2022, 8:19 a.m.
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

Impact

Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack might be compromised by attacks exploit these vulnerabilities. If specially crafted Profinet network configuration files (IPPNIO or TIC) are loaded during the Profinet startup an integer overflow leads to a buffer overflow which enables the attacker to elevate privileges and obtain access to the device. The attacker may take over the system, steal data or prevent a system or application to run correctly.
The PROFINET Device Stack provides an optional configuration possibility via the above-mentioned files and might be vulnerable when this dedicated use case is supported.

Solution

Mitigation

The PROFINET SDK includes an Engineering tool as reference solution to generate Profinet configuration IPPNIO or TIC XML files. This configuration is transferred to a device running the Profinet stack and loaded during startup of the Profinet stack.

When the IPPNIO or TIC files are transferred via an untrusted environment (e.g.: Network or e-Mail, …) an attacker knowing these vulnerabilities mentioned above might manipulate the files in a specific way to gain access to the device.

To mitigate these vulnerabilities the integrity and authenticity of the configuration data it must be ensured by transferring the data only via trusted connections.

Advice's how to ensure trusted connections can be found in the following document:
Measures to protect network-capable devices with Ethernet connection.

Companies which are using their own configuration system instead of the reference solution are not affected as long they don’t utilize the related libexpat library.

We kindly advise you to check if in your specific configuration tool chain, the libexpat library is used or version number is 2.4.6. or higher.

Remediation

  1. Use only trusted connections between the Engineering tools and the devices executing the Profinet stack.
  2. Update configuration tool chains to libexpat library version 2.4.6. or higher.
  3. Upgrade to PROFINET SDK 6.6 or higher if necessary.

Reported by

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.