PHOENIX CONTACT: BTP Touch Panels uncontrolled resource consumption

Uncontrolled Resource Consumption can be exploited to cause the HMI to become unresponsive and not accurately update the display content (Denial of Service).


CVE-2020-12524: 7.5

PHOENIX CONTACT: Products utilizing WIBU-SYSTEMS CodeMeter components

Several vulnerabilities have been discovered in WIBU-SYSTEMS CodeMeter and published 08 September 2020. Phoenix Contact is only affected by a subset of these vulnerabilities.

Phoenix Contact products are not affected by vulnerabilities WIBU-200521-01 (CVE-2020- 14513), WIBU-200521-04 (CVE-2020-14517, and WIBU-200521-06 (CVE-2020-14515). For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html.


CVE-2020-14509: 9.8
CVE-2020-16233: 7.5
CVE-2020-14519: 7.5

PHOENIX CONTACT: Denial-of-Service vulnerabilty in Emalytics, ILC 2050 BI and ILC 2050 BI-L

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart to correct.


CVE-2020-14483: 4.3

PHOENIX CONTACT: Improper path sanitation on import of project files in PLCnext Engineer

The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code.
The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.


CVE-2020-12499: 8.2

PHOENIX CONTACT: Two Vulnerabilities in Automation Worx Suite

Manipulated PC Worx projects could lead to a remote code execution due to insufficient input
data validation.

The attacker needs to get access to an original PC Worx project to be able to manipulate data
inside the project folder. After manipulation the attacker needs to exchange the original files by
the manipulated ones on the application programming workstation.


CVE-2020-12497: 7.8
CVE-2020-12498: 7.8

PHOENIX CONTACT: FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT: PPPD vulnerable to CVE-2020-8597

FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices are affected by a buffer overflow vulnerability within the PPP service.

The PPP service is not active by default, but is used commonly at TC ROUTER, TC CLOUD CLIENT.
It is also running in the following FL MGUARD and TC MGUARD configurations:

• Mobile data connection
• Router mode “Modem”
• Router mode “PPPoE”
• L2TP over IPsec

Malicious PPP peers could try to exploit the vulnerability from remote.


CVE-2020-8597: 9.8

PHOENIX CONTACT: Local Privilege Escalation in Portico Remote desktop control software

If the software runs as a service, a user with limited access can gain administrator privileges by starting a shell with administrator rights from the Import / Export configuration dialog.


CVE-2020-10940: 7.8

PHOENIX CONTACT: Local Privilege Escalation in PC WORX SRT

The Phoenix Contact application ‘PC WORX SRT’ is installed as service. The installation path of the application is configured to have insecure permissions which allows any unprivileged user to write arbitrary files to the installation directory where all the configuration files and binaries of the service are located.


CVE-2020-10939: 7.8

Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0