Share: Email | Twitter

ID

VDE-2023-056

Published

2023-12-12 08:00 (CET)

Last update

2023-12-11 15:24 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1151412 AXC F 1152 <= 2024.0
2404267 AXC F 2152 <= 2024.0
1069208 AXC F 3152 <= 2024.0
1246285 BPC 9102S <= 2024.0
1185416 EPC 1502 <= 2024.0
1185423 EPC 1522 <= 2024.0
1046008 PLCnext Engineer <= 2024.0
1136419 RFC 4072R <= 2024.0
1051328 RFC 4072S <= 2024.0

Summary

PLCnext Control provides authentication and integrity check for the application.
An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.

To successfully exploit this vulnerability, the attacker must have access to the application either with PLCnext Engineer on the Engineering station, the stored application, the application during download or the application storage on the PLC.


Last Update:

Dec. 11, 2023, 3:24 p.m.

Weakness

Incorrect Permission Assignment for Critical Resource  (CWE-732:) 

Summary

A incorrect permission assignment for critical resource vulnerability in PLCnext products allows an remote attacker with low privileges to gain full access on the affected devices.


Impact

The identified vulnerabilities allow malicious code to PLCnext Control once they have access to the engineering station running PLCnext Engineer or can communicate with the controllers.
Attackers must have authenticated network or physical access to the engineering station or controller to exploit this vulnerability.

Solution

Mitigation

PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.

This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.

This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.

Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.

For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security

PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.

For more information’s refer to the PLCnext Info Centers.

Concepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description Generic security concept.

Remediation

PLCnext Control security feature set and hardening are continuously improved.
Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt
 for updated information’s and firmware regularly.

We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.

Reported by

This vulnerability was reported by Reid Wightman at Dragos, Inc.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.