Share: Email | Twitter

ID

VDE-2023-001

Published

2023-02-14 08:50 (CET)

Last update

2023-02-14 08:50 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1151412 AXC F 1152 < 2023.0.0 LTS
2404267 AXC F 2152 < 2023.0.0 LTS
1069208 AXC F 3152 < 2023.0.0 LTS
1246285 BPC 9102S < 2023.0.0 LTS
1136419 RFC 4072R < 2023.0.0 LTS
1051328 RFC 4072S < 2023.0.0 LTS

Summary

A new LTS Firmware release fixes known vulnerabilities in used open-source libraries.

In addition, the following improvements have been implemented:

HMI

- Hardening against DoS attacks.
- Hardening against memory leak problems in case of network attacks.

WBM

- Umlauts in the password of the “User Manager” were not handled correctly. The password rule for upper and lower case was not followed. This could lead to unintentionally weaker passwords.
- Hardening of WBM against Cross-Site-Scripting.

User Manager

- In security notifications “SecurityToken” was always displayed as “0000000” when creating or modifying users.
- Hardening of Trust and Identity Stores.

Vulnerabilities



Last Update
Jan. 26, 2023, 10:09 a.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Last Update
Dec. 13, 2022, 10:34 a.m.
Weakness
Use After Free (CWE-416)
Summary

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Last Update
Jan. 26, 2023, 9:45 a.m.
Weakness
Double Free (CWE-415)
Summary

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:34 p.m.
Weakness
Business Logic Errors (CWE-840)
Summary
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.
Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.
Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Improper Ownership Management (CWE-282)
Summary

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Use After Free (CWE-416)
Summary

Use After Free in GitHub repository vim/vim prior to 9.0.0579.

Last Update
Jan. 26, 2023, 10:09 a.m.
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.

Last Update
Jan. 26, 2023, 10:09 a.m.
Weakness
Use After Free (CWE-416)
Summary

Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Buffer Over-read (CWE-126)
Summary
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Buffer Over-read (CWE-126)
Summary
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Use After Free (CWE-416)
Summary

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

Last Update
Nov. 17, 2022, 11:18 a.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Use After Free (CWE-416)
Summary
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Integer Overflow or Wraparound (CWE-190)
Summary
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Use After Free (CWE-416)
Summary
Use After Free in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
Last Update
Jan. 26, 2023, 9:53 a.m.
Weakness
Improper Restriction of XML External Entity Reference (CWE-611)
Summary

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

Last Update
Jan. 26, 2023, 9:55 a.m.
Weakness
Insufficient Information (NVD-CWE-noinfo)
Summary

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Use After Free (CWE-416)
Summary

Use After Free in GitHub repository vim/vim prior to 9.0.0490.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Use After Free (CWE-416)
Summary

Use After Free in GitHub repository vim/vim prior to 9.0.0530.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.

Last Update
Jan. 26, 2023, 9:57 a.m.
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

Last Update
Jan. 26, 2023, 9:49 a.m.
Weakness
Double Free (CWE-415)
Summary

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Last Update
Jan. 26, 2023, 10:09 a.m.
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.

Last Update
Jan. 26, 2023, 9:57 a.m.
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.

Last Update
Jan. 26, 2023, 9:50 a.m.
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.

Last Update
Dec. 13, 2022, 10:34 a.m.
Weakness
Use After Free (CWE-416)
Summary

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Last Update
Jan. 26, 2023, 9:57 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
Last Update
Jan. 26, 2023, 9:54 a.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.

Last Update
Oct. 10, 2022, 4:34 p.m.
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
Last Update
Jan. 26, 2023, 9:55 a.m.
Weakness
Incorrect Permission Assignment for Critical Resource (CWE-732)
Summary

A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.

Last Update
Oct. 10, 2022, 4:34 p.m.
Weakness
Business Logic Errors (CWE-840)
Summary
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
NULL Pointer Dereference (CWE-476)
Summary
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
Last Update
Oct. 10, 2022, 4:35 p.m.
Weakness
NULL Pointer Dereference (CWE-476)
Summary
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
Undefined Behavior for Input to API (CWE-475)
Summary

Undefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.

Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

Last Update
Jan. 26, 2023, 9:54 a.m.
Weakness
Access of Uninitialized Pointer (CWE-824)
Summary

A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.

Last Update
Jan. 26, 2023, 10:08 a.m.
Weakness
NULL Pointer Dereference (CWE-476)
Summary

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.

Last Update
Jan. 26, 2023, 9:55 a.m.
Weakness
Inadequate Encryption Strength (CWE-326)
Summary

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Last Update
Oct. 10, 2022, 4:34 p.m.
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary
A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
Last Update
Jan. 26, 2023, 9:42 a.m.
Weakness
Improper Input Validation (CWE-20)
Summary

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

Impact

Please consult the CVE entries listed above.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:

Measures to protect network-capable devices with Ethernet connection

Remediation

Update to the latest 2023.0.0 LTS Firmware Release.

PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.

Reported by

CERT@VDE coordinated with PHOENIX CONTACT.