Share: Email | Twitter

ID

VDE-2022-058

Published

2022-12-13 08:00 (CET)

Last update

2022-12-13 08:13 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1175941 PROFINET SDK <= 6.6

Summary

Two vulnerabilities have been discovered in the Expat XML parser library (aka libexpat). This open-source component is widely used in a lot of products worldwide. An attacker could cause a program to crash, use unexpected values or execute code by exploiting these use-after-free vulnerabilities.

Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).

Vulnerabilities



Last Update
Dec. 13, 2022, 10:34 a.m.
Weakness
Use After Free (CWE-416)
Summary

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Last Update
Dec. 13, 2022, 10:34 a.m.
Weakness
Use After Free (CWE-416)
Summary

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Impact

Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack might
be compromised by attacks exploit these vulnerabilities.

Depending on the instantiation and timing of the defect, using previously freed memory might result in a variety of negative effects, from the corruption of valid data to the execution of arbitrary code. In the default installation a vulnerable libexpat is present, but it may have been replaced in the toolchain itself.

Solution

Temporary Fix / Mitigation

We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.

For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:

Measures to protect network-capable devices with Ethernet connection

Remediation

  1. Update configuration tool chains to libexpat library version 2.4.9. or higher
  2. Upgrade to PROFINET SDK 6.7 or higher if necessary.

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.