|Article No°||Product Name||Affected Version(s)|
Multiple vulnerabilities have been discovered in the firmware and in libraries utilized of RAD-ISM-900-EN-BD devices:
In addition to the above listed CVEs the following issues were identified:
Vulnerabilities related to outdated libraries:
Over-privileged web application:
The web application is operated with root privileges. Therefore, if an attacker were able to achieve RCE via the web application they would be executing with the highest level of privileges.
On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the configuration file uploader in the WebUI to execute arbitrary code with root privileges on the OS due to an improper validation of an integrity check value in all versions of the firmware.
On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the traceroute utility integrated in the WebUI to execute arbitrary code with root privileges on the OS due to an improper input validation in all versions of the firmware.
The abovementioned vulnerabilities allow an attacker to execute arbitrary shell commands and/or upload arbitrary files to the device with root privileges.
Some software libraries compiled into the device firmware are outdated and contain known vulnerabilities. Some of those vulnerabilities may be exploitable in the device context whilst others may not have any effect as the specific vulnerable function is not used. These vulnerabilities have not been investigated in detail.
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.
The vulnerabilities were discovered and reported by Logan Carpenter of DRAGOS.
PHOENIX CONTACT kindly appreciated the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.