| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 1151412 | AXC F 1152 | <= 2024.0 |
| 2404267 | AXC F 2152 | <= 2024.0 |
| 1069208 | AXC F 3152 | <= 2024.0 |
| 1246285 | BPC 9102S | <= 2024.0 |
| 1185416 | EPC 1502 | <= 2024.0 |
| 1185423 | EPC 1522 | <= 2024.0 |
| 1046008 | PLCnext Engineer | <= 2024.0 |
| 1136419 | RFC 4072R | <= 2024.0 |
| 1051328 | RFC 4072S | <= 2024.0 |
PLCnext Control provides authentication and integrity check for the application.
An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.
To successfully exploit this vulnerability, the attacker must have access to the application either with PLCnext Engineer on the Engineering station, the stored application, the application during download or the application storage on the PLC.
A incorrect permission assignment for critical resource vulnerability in PLCnext products allows an remote attacker with low privileges to gain full access on the affected devices.
The identified vulnerabilities allow malicious code to PLCnext Control once they have access to the engineering station running PLCnext Engineer or can communicate with the controllers.
Attackers must have authenticated network or physical access to the engineering station or controller to exploit this vulnerability.
Mitigation
PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.
This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.
This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.
Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.
For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security
PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.
For more information’s refer to the PLCnext Info Centers.
Concepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description Generic security concept.
Remediation
PLCnext Control security feature set and hardening are continuously improved.
Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information’s and firmware regularly.
We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.
This vulnerability was reported by Reid Wightman at Dragos, Inc.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.