Share: Email | Twitter

ID

VDE-2022-053

Published

2023-03-07 08:00 (CET)

Last update

2023-02-28 07:46 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1234355 CLOUD CLIENT 2002T-4G EU < 4.5.73.107
1234360 CLOUD CLIENT 2002T-WLAN < 4.5.73.107
1234357 CLOUD CLIENT 2102T-4G EU WLAN < 4.5.73.107
1234352 TC ROUTER 4002T-4G EU < 4.5.72.107
1234353 TC ROUTER 4102T-4G EU WLAN < 4.5.72.107
1234354 TC ROUTER 4202T-4G EU WLAN < 4.5.72.107

Summary

Two Vulnerabilities have been discovered in TC ROUTER 4000 series and CLOUD CLIENT 2000 series up to firmware version 4.5.7x.107.

The web administration interface is vulnerable for authenticated admin users to path traversals, which could lead to arbitrary file uploads or deletion. Unvalidated user input also enables execution of OS commands.

Vulnerabilities



Last Update
Feb. 27, 2023, 8:32 a.m.
Weakness
Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Summary

NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.

Last Update
Feb. 27, 2023, 8:32 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

The NetModule NSRW web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion. By uploading malicious files to the web root directory, authenticated users could gain remote command execution with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.

Impact

The web interface is available only after authentication. An authorized admin user could use these vulnerabilities to execute arbitrary commands, upload arbitrary files or delete files from the device. This may lead to the device no longer functioning properly.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection

Remediation

The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.

Reported by

This vulnerability was discovered and reported by ONEKEY.

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.