PHOENIX CONTACT Advisory Feed by CERT@VDEhttps://cert.vde.com/en/advisories/2024-03-12T08:03:23+00:00Feed for PHOENIX CONTACT Advisories by CERT@VDEPHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers2024-03-12T07:00:00+00:002024-03-12T08:03:23+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2024-011/<h4>VDE-2024-011</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1139022</td><td>CHARX SEC-3000</td><td> <= 1.5.0</td></tr><tr><td>1139018</td><td>CHARX SEC-3050</td><td> <= 1.5.0</td></tr><tr><td>1139012</td><td>CHARX SEC-3100</td><td> <= 1.5.0</td></tr><tr><td>1138965</td><td>CHARX SEC-3150</td><td> <= 1.5.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2024-25994: 5.3 (CVSS:3.1)<br>⠀CVE-2024-25995: 9.8 (CVSS:3.1)<br>⠀CVE-2024-25996: 5.3 (CVSS:3.1)<br>⠀CVE-2024-25997: 5.3 (CVSS:3.1)<br>⠀CVE-2024-25998: 7.3 (CVSS:3.1)<br>⠀CVE-2024-25999: 8.4 (CVSS:3.1)<br>⠀CVE-2024-26000: 5.9 (CVSS:3.1)<br>⠀CVE-2024-26001: 7.4 (CVSS:3.1)<br>⠀CVE-2024-26002: 7.8 (CVSS:3.1)<br>⠀CVE-2024-26003: 7.5 (CVSS:3.1)<br>⠀CVE-2024-26004: 7.5 (CVSS:3.1)<br>⠀CVE-2024-26005: 4.8 (CVSS:3.1)<br>⠀CVE-2024-26288: 8.7 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 1">
<div class="layoutArea">
<div class="column">
<p>Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers. These vulnerabilities were discovered as part of a PWN2OWN competition initiated by Trend Micro Zero Day Initiative (ZDI).</p>
</div>
</div>
<div class="layoutArea"></div>
</div><h4>Impact</h4><p>CVE-2024-25994, CVE-2024-25996,<span>CVE-2024-25997</span>,<span>CVE-2024-26000</span><br>These vulnerabilities can be exploited by a malicious attacker without local account to gain root privileges, which allows him to take over the device.</p>
<p><br><span>CVE-2024-26003</span><br>This vulnerability can be used by a malicious attacker without local account to perform remote code execution with the privileges of the ControllerAgent service.</p>
<p><br>Some of the Vulnerabilities represent a medium risk on their own, nevertheless chaining or combining these vulnerabilities can trigger an RCE that leads to the complete compromise of the device.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Phoenix Contact strongly recommends updating to firmware version v1.5.1 or higher, which fixes these vulnerabilities.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2024-011/" target=_new>https://cert.vde.com/en/advisories/VDE-2024-011/</a>
Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-7322023-12-12T07:00:00+00:002023-12-11T12:54:00+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-051/<h4>VDE-2023-051</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MULTIPROG</td><td> all versions</td></tr><tr><td></td><td>ProConOS eCLR (SDK)</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-0757: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR.</p>
<p>ProConOS/ProConOS eCLR controller runtime system has been offered as a Software Development Kit (SDK) to automation suppliers that build their own automation devices. ProConOS/ProConOS eCLR is embedded into automation suppliers’ hardware, real-time operating systems (RTOS), firmware, and I/O systems.<br>The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products.</p>
<p>Logic files generated by MULTIPROG Engineering tool could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program.</p>
<p>Users need to check with their device vendors if they are affected by this attack vulnerability or if the specific device integration mitigates this attack vector.</p><h4>Impact</h4><p>The identified vulnerabilities allow attackers to generate applications or upload them with arbitrary malicious code once they have access to the engineering station or communication to devices using ProConOS eCLR. This vulnerability affects all versions of ProConOS eCLR and MULTIPROG from Phoenix Contact (formerly KW-Software).</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks.</p>
<p>Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products.</p>
<p>Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device.</p>
<p>Users should ensure that logic is always transmitted or stored in protected environments. This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.<br>Project data should only be stored in protected environments.</p>
<p>For general information and recommendations on security measures to protect network-enabled<br>devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application Note Security</a></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-051/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-051/</a>
Phoenix Contact: ProConOS prone to Download of Code Without Integrity Check2023-12-12T07:00:00+00:002023-12-11T13:24:01+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-054/<h4>VDE-2023-054</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MULTIPROG</td><td> all versions</td></tr><tr><td></td><td>ProConOS eCLR (SDK)</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-5592: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR.</p>
<p>ProConOS/ProConOS eCLR controller runtime system has been offered as a Software Development Kit (SDK) to automation suppliers that build their own automation devices. ProConOS/ProConOS eCLR is embedded into automation suppliers’ hardware, real-time operating systems (RTOS), firmware, and I/O systems.<br>The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products.</p>
<p>A CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.</p>
<p>Users need to check with their device vendors if they are affected by this attack vulnerability or if the specific device integration mitigates this attack vector.</p><h4>Impact</h4><p>The identified vulnerability allows to download and execute applications without integrity checks. Potential tampered application might not be discovered.<br>This vulnerability affects all versions of ProConOS eCLR and MULTIPROG from Phoenix Contact (formerly KW-Software).</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks.</p>
<p>Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products.</p>
<p>Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device.</p>
<p>Users should ensure that logic is always transmitted or stored in protected environments.<br>This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.<br>Project data should only be stored in protected environments.</p>
<p>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-054/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-054/</a>
Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC2023-12-12T07:00:00+00:002023-12-11T14:39:37+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-057/<h4>VDE-2023-057</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Automation Worx Software Suite</td><td> all versions</td></tr><tr><td>2700988</td><td>AXC 1050</td><td> all versions</td></tr><tr><td>2701295</td><td>AXC 1050 XC</td><td> all versions</td></tr><tr><td>2700989</td><td>AXC 3050</td><td> all versions</td></tr><tr><td></td><td>Config+</td><td> all versions</td></tr><tr><td>2730844</td><td>FC 350 PCI ETH</td><td> all versions</td></tr><tr><td></td><td>ILC1x0</td><td> all versions</td></tr><tr><td></td><td>ILC1x1</td><td> all versions</td></tr><tr><td></td><td>ILC 3xx</td><td> all versions</td></tr><tr><td></td><td>PC Worx</td><td> all versions</td></tr><tr><td></td><td>PC Worx Express</td><td> all versions</td></tr><tr><td>2700291</td><td>PC WORX RT BASIC</td><td> all versions</td></tr><tr><td>2701680</td><td>PC WORX SRT</td><td> all versions</td></tr><tr><td>2730190</td><td>RFC 430 ETH-IB</td><td> all versions</td></tr><tr><td>2730200</td><td>RFC 450 ETH-IB</td><td> all versions</td></tr><tr><td>2700784</td><td>RFC 460R PN 3TX</td><td> all versions</td></tr><tr><td>2916794</td><td>RFC 470S PN 3TX</td><td> all versions</td></tr><tr><td>2404577</td><td>RFC 480S PN 4TX</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46143: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don’t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).</p>
<p>A CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.</p><h4>Impact</h4><p>The identified vulnerabilities allow to download and execute applications to the classic line industrial controllers without integrity checks.</p>
<p>Potential tampered application might not be discovered.</p><h4>Solution</h4><p><b>Temporary Fix / Mitigation</b></p>
<p>Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</p>
<p>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.</p>
<p>It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.</p>
<p>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.</p>
<p>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p>If a classic line controller can’t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.<br>A summary of measures to protect devices based on classic control technology is provided here: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/74777de2d270be4cb4828ee57173dbd0/Application-note_110637_en_00.pdf" target="_blank">Measures to protect devices based on classic control technology</a></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-057/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-057/</a>
Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource2023-12-12T07:00:00+00:002023-12-11T13:46:32+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-055/<h4>VDE-2023-055</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>Automation Worx Software Suite</td><td> all versions</td></tr><tr><td>2700988</td><td>AXC 1050</td><td> all versions</td></tr><tr><td>2701295</td><td>AXC 1050 XC</td><td> all versions</td></tr><tr><td>2700989</td><td>AXC 3050</td><td> all versions</td></tr><tr><td></td><td>Config+</td><td> all versions</td></tr><tr><td>2730844</td><td>FC 350 PCI ETH</td><td> all versions</td></tr><tr><td></td><td>ILC1x0</td><td> all versions</td></tr><tr><td></td><td>ILC1x1</td><td> all versions</td></tr><tr><td></td><td>ILC 3xx</td><td> all versions</td></tr><tr><td></td><td>PC Worx</td><td> all versions</td></tr><tr><td></td><td>PC Worx Express</td><td> all versions</td></tr><tr><td>2700291</td><td>PC WORX RT BASIC</td><td> all versions</td></tr><tr><td>2701680</td><td>PC WORX SRT</td><td> all versions</td></tr><tr><td>2730190</td><td>RFC 430 ETH-IB</td><td> all versions</td></tr><tr><td>2730200</td><td>RFC 450 ETH-IB</td><td> all versions</td></tr><tr><td>2700784</td><td>RFC 460R PN 3TX</td><td> all versions</td></tr><tr><td>2916794</td><td>RFC 470S PN 3TX</td><td> all versions</td></tr><tr><td>2404577</td><td>RFC 480S PN 4TX</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46141: 9.8 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don’t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).</span></p>
<p><span>Logic files generated by Automation Worx could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, the tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program.</span></p>
</div>
</div>
</div><h4>Impact</h4><p>The identified vulnerabilities allow attackers to generate logic files or upload logic with arbitrary malicious code to the classic line industrial controllers once they have access to the engineering station running Automation Worx Software Suite or can communicate with the controllers. Attackers must have network or physical access to the engineering station or controller to exploit this vulnerability.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</p>
<p>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.</p>
<p>It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.</p>
<p>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.</p>
<p>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p>If a classic line controller can’t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.<br>A summary of measures to protect devices based on classic control technology is provided here:<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/74777de2d270be4cb4828ee57173dbd0/Application-note_110637_en_00.pdf" target="_blank">Measures to protect devices based on classic control technology</a></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-055/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-055/</a>
Phoenix Contact: PLCnext Control prone to download of code without integrity check2023-12-12T07:00:00+00:002023-12-11T15:26:58+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-058/<h4>VDE-2023-058</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1151412</td><td>AXC F 1152</td><td> <= 2024.0</td></tr><tr><td>2404267</td><td>AXC F 2152</td><td> <= 2024.0</td></tr><tr><td>1069208</td><td>AXC F 3152</td><td> <= 2024.0</td></tr><tr><td>1246285</td><td>BPC 9102S</td><td> <= 2024.0</td></tr><tr><td>1185416</td><td>EPC 1502</td><td> <= 2024.0</td></tr><tr><td>1185423</td><td>EPC 1522</td><td> <= 2024.0</td></tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2024.0</td></tr><tr><td>1136419</td><td>RFC 4072R</td><td> <= 2024.0</td></tr><tr><td>1051328</td><td>RFC 4072S</td><td> <= 2024.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46144: 7.7 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides authentication and integrity check for the application.<br>An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.</span></p>
<p><span>PLCnext Engineer warns users if the PLC logic is different from the current loaded project when Online mode is activated. In addition, during loading an application on the PLC, a Project Integrity Warning logging entry is generated.<br>A skilled attacker might be able to manipulate the application in a special crafted way that the integrity check will not be able to recognize tampering attempts.</span></p>
</div>
</div>
</div><h4>Impact</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>The identified vulnerabilities allow to download and execute manipulated applications on PLCnext Control. Potential tampered applications might not be discovered.</span></p>
<p><span></span></p>
<div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span></span></p>
</div>
</div>
<div class="layoutArea">
<div class="column"></div>
</div>
</div>
</div>
</div>
</div><h4>Solution</h4><p><b>Mitigation</b></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</span></p>
<p><span>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.</span></p>
<p><span>This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.</span></p>
<p><span>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.</span></p>
<p><span>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note:<br></span><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<p><span>PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management, and integrity checks. These features can reduce the attack surface of this vulnerability.</span></p>
<p><span>For more information’s refer to the PLCnext Info Centers.</span></p>
</div>
</div>
<div class="section">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides project data integrity checks, information’s about the default configuration are provided in the topic </span><span>Checking project data integrity.</span></p>
</div>
</div>
</div>
</div>
<p><b>Remediation</b></p>
<div class="page" title="Page 4">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control security feature set and hardening are continuously improved.<br>Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage </span><span>https://phoenixcontact.com/psirt </span><span>for updated information’s and firmware regularly.</span></p>
<p><span></span></p>
</div>
</div>
<div class="layoutArea">
<div class="column">
<p><span>We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.</span></p>
</div>
</div>
</div><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-058/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-058/</a>
Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource2023-12-12T07:00:00+00:002023-12-11T14:24:41+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-056/<h4>VDE-2023-056</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1151412</td><td>AXC F 1152</td><td> <= 2024.0</td></tr><tr><td>2404267</td><td>AXC F 2152</td><td> <= 2024.0</td></tr><tr><td>1069208</td><td>AXC F 3152</td><td> <= 2024.0</td></tr><tr><td>1246285</td><td>BPC 9102S</td><td> <= 2024.0</td></tr><tr><td>1185416</td><td>EPC 1502</td><td> <= 2024.0</td></tr><tr><td>1185423</td><td>EPC 1522</td><td> <= 2024.0</td></tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2024.0</td></tr><tr><td>1136419</td><td>RFC 4072R</td><td> <= 2024.0</td></tr><tr><td>1051328</td><td>RFC 4072S</td><td> <= 2024.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-46142: 8.8 (CVSS:3.1)<br><h4>Summary</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides authentication and integrity check for the application.<br>An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.</span></p>
<p><span>To successfully exploit this vulnerability, the attacker must have access to the application either with PLCnext Engineer on the Engineering station, the stored application, the application during download or the application storage on the PLC.</span></p>
</div>
</div>
</div><h4>Impact</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>The identified vulnerabilities allow malicious code to PLCnext Control once they have access to the engineering station running PLCnext Engineer or can communicate with the controllers.<br>Attackers must have authenticated network or physical access to the engineering station or controller to exploit this vulnerability.</span></p>
</div>
</div>
</div><h4>Solution</h4><p><b>Mitigation</b></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.</span></p>
<p><span>This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.</span></p>
<p><span>This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.</span></p>
<p><span>Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.</span></p>
<p><span>For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: </span><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Application note Security</a></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.</span></p>
<p><span>For more information’s refer to the PLCnext Info Centers.</span></p>
<p><span>Concepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description </span><span>Generic security concept</span><span>.</span></p>
<p><strong>Remediation</strong></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>PLCnext Control security feature set and hardening are continuously improved.<br>Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage <a href="https://phoenixcontact.com/psirt" target="_blank">https://phoenixcontact.com/psirt</a></span><span> </span><span>for updated information’s and firmware regularly.</span></p>
</div>
</div>
<div class="section">
<div class="layoutArea">
<div class="column">
<p><span>We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-056/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-056/</a>
PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products2023-11-21T08:15:22+00:002023-11-21T08:15:24+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-062/<h4>VDE-2023-062</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1086889</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086920</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153509</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153513</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086929</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153516</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086891</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153508</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153520</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086921</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>2702889</td><td>FL Network Manager</td><td> <= 7.0</td></tr><tr><td>1083065</td><td>IOL Conf</td><td> <= 1.7.0</td></tr><tr><td>1636198</td><td>MTP DESIGNER</td><td> <= 1.2.0. BETA</td></tr><tr><td>1636200</td><td>MTP DESIGNER TRIAL</td><td> <= 1.2.0. BETA</td></tr><tr><td>--</td><td>PHOENIX CONTACT Activation Wizard</td><td> <= 1.6</td></tr><tr><td>1373917</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373918</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373908</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550573</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550576</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550581</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550587</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550580</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550582</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1532628</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550574</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550589</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373907</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373909</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373233</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373910</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373226</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373236</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373231</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373224</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373913</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373912</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373238</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373914</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373915</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373916</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2023.9</td></tr><tr><td>1165889</td><td>PLCnext Engineer EDU LIC</td><td> <= 2023.9</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-38545: 9.8 (CVSS:3.1)<br>⠀CVE-2023-24540: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>A heap-based buffer overflow caused by libcurl and wrong whitespace character interpretation<br>in Javascript, both used in CodeMeter Runtime affecting multiple products by PHOENIX CONTACT.</p>
<p></p><h4>Impact</h4><p><strong>CVE-2023-38545</strong></p>
<p>In a worst-case scenario and when using a SOCKS5 proxy, a successful exploitation of the vulnerability can lead to arbitrary code execution using the privileges of the user running the affected software. </p>
<p><strong>CVE-2023-24540</strong></p>
<p>WIBU Systems states that WIBU Codemeter is not affected by this vulnerability.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Disable using a SOCKS5 proxy:</p>
<ul>
<li>The proxy environment variables HTTP_PROXY, HTTPS_PROXY and ALL_PROXY<br>must not be set to socks5h://</li>
<li>Ensure that CodeMeter is not defined to use the SOCKS5 proxy. The variable<br>ProxyServer must not be start with socks5h://.<br>
<ul>
<li>On Windows, the definition of that variable is in the registry (regedit) under<br>HKLM/SOFTWARE/WIBU-SYSTEMS/CodeMeter/Server/CurrentVersion</li>
<li>On Mac, the definition of that variable is in the file<br>/Library/Preferences/com.wibu.CodeMeter.Server.ini</li>
<li>On Linux, the definition of that variable is in the file<br>/etc/wibu/CodeMeter/Server.ini</li>
<li>On Solaris, the definition of that variable is in the file<br>/etc/opt/CodeMeter/Server.ini<br>Use general security best practices to protect systems from local and network attacks like<br>described in the application node <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/7287b631b23077172920b18d738b3b1c/107913_en_02.pdf" target="_blank">AH EN INDUSTRIAL SECURITY</a>.</li>
</ul>
</li>
</ul>
<p><b>Remediation</b></p>
<p>PHOENIX CONTACT strongly recommends affected users to upgrade to CodeMeter V7.60d,<br>which fixes these vulnerabilities. WIBU-SYSTEMS has already published an update for<br>CodeMeter on their homepage. Since this current version of CodeMeter V7.60d has not yet<br>been incorporated into Phoenix Contact products, we strongly recommend to download and<br>install the current CodeMeter version directly from the WIBU-SYSTEMS homepage.<br>Update Phoenix Contact Activation Wizard to version 1.7 when available. Please check the Phoenix Contact e-Shop for your related Software product regularly.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-062/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-062/</a>
PHOENIX CONTACT: Multiple products affected by WIBU Codemeter Vulnerability (Update A)2023-09-19T06:50:27+00:002023-11-14T09:18:00+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-030/<h4>VDE-2023-030</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1153520</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153509</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153513</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086929</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086889</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086920</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153516</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086891</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1086921</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>1153508</td><td>E-Mobility Charging Suite</td><td> <= 1.7.0</td></tr><tr><td>2702889</td><td>FL Network Manager</td><td> <= 7.0</td></tr><tr><td>1083065</td><td>IOL Conf</td><td> <= 1.7.0</td></tr><tr><td>1636198</td><td>MTP DESIGNER</td><td> <= 1.2.0 BETA</td></tr><tr><td>1636200</td><td>MTP DESIGNER TRIAL</td><td> <= 1.2.0 BETA</td></tr><tr><td>--</td><td>PHOENIX CONTACT Activation Wizard</td><td> <= 1.6</td></tr><tr><td>1550589</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373907</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373909</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373233</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1532628</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550574</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373910</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373226</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373236</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373231</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373224</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373913</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373912</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373238</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373914</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373915</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373916</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373917</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373918</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1373908</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550573</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550576</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550581</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550587</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550580</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1550582</td><td>PHOENIX CONTACT Activation Wizard in MORYX Software Platform</td><td> <= 1.6</td></tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2023.6</td></tr><tr><td>1165889</td><td>PLCnext Engineer EDU LIC</td><td> <= 2023.6</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-3935: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>A Vulnerability in WIBU-SYSTEMS CodeMeter Runtime affects multiple <span>Phoenix Contact</span><span> </span>products.</p>
<p>Phoenix Contact devices using CodeMeter embedded are not affected by this<span> </span>vulnerability.</p>
<p><strong>Update A, 2023-11-13</strong></p>
<p>Removed CVE-2023-4701 because it was revoked.</p><h4>Impact</h4><p>An attacker exploiting the vulnerability in WIBU CodeMeter Runtime in server mode could gain full access to the affected server via network access without any user interaction.</p>
<p>Exploiting the vulnerability in WIBU CodeMeter Runtime in non-networked workstation mode could lead to a privilege elevation and full admin access on this workstation.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>1. Use general security best practices to protect systems from local and network attacks like described in the application node <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/7287b631b23077172920b18d738b3b1c/107913_en_02.pdf" target="_blank">AH EN INDUSTRIAL SECURITY</a>.<br>2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default. If it is not possible to disable the network server, using a host-based firewall to restrict access to the network for reducing the risk is strongly recommended.<br>3. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.<br>4. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.</p>
<p><b>Remediation</b></p>
<p>PHOENIX CONTACT strongly recommends affected users to upgrade to CodeMeter V7.60c, which fixes these vulnerabilities. WIBU-SYSTEMS has already published this update for CodeMeter on their homepage. Since this current version of CodeMeter V7.60c has not yet been incorporated into Phoenix Contact products, we strongly recommend to download and install the current CodeMeter version directly from the WIBU-SYSTEMS homepage.</p>
<p>Install Phoenix Contact Activation Wizard from version 1.7 when available.<br>Please check the Phoenix Contact e-Shop for your related Software product regularly.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-030/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-030/</a>
PHOENIX CONTACT: Multiple vulnerabilities in WP 6xxx Web panels2023-08-08T06:41:03+00:002023-08-08T06:41:14+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-018/<h4>VDE-2023-018</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1290800</td><td>WP 6070-WVPS</td><td> < 4.0.10</td></tr><tr><td>1290801</td><td>WP 6101-WXPS</td><td> < 4.0.10</td></tr><tr><td>1290802</td><td>WP 6121-WXPS</td><td> < 4.0.10</td></tr><tr><td>1290803</td><td>WP 6156-WHPS</td><td> < 4.0.10</td></tr><tr><td>1290807</td><td>WP 6185-WHPS</td><td> < 4.0.10</td></tr><tr><td>1290809</td><td>WP 6215-WHPS</td><td> < 4.0.10</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-37858: 4.9 (CVSS:3.1)<br>⠀CVE-2023-37857: 3.8 (CVSS:3.1)<br>⠀CVE-2023-37856: 4.3 (CVSS:3.1)<br>⠀CVE-2023-37855: 4.3 (CVSS:3.1)<br>⠀CVE-2023-3573: 8.8 (CVSS:3.1)<br>⠀CVE-2023-3572: 10.0 (CVSS:3.1)<br>⠀CVE-2023-3571: 8.8 (CVSS:3.1)<br>⠀CVE-2023-3570: 8.8 (CVSS:3.1)<br>⠀CVE-2023-37864: 7.2 (CVSS:3.1)<br>⠀CVE-2023-37863: 7.2 (CVSS:3.1)<br>⠀CVE-2023-37862: 8.2 (CVSS:3.1)<br>⠀CVE-2023-37861: 8.8 (CVSS:3.1)<br>⠀CVE-2023-37860: 7.5 (CVSS:3.1)<br>⠀CVE-2023-37859: 7.2 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple vulnerabilities allow an attacker to read arbitrary files, inject commands and bypass authentication or access control. Furthermore, hardcoded session and encryption keys as well as a missing firmware update signature and a service running with unnecessary privileges were discovered.</p><h4>Impact</h4><p>These vulnerabilities allow an attacker to compromise the confidentiality, integrity and availability of the device. An authenticated attacker can gain an administrative shell, execute arbitrary OS commands with administrative privileges, read any files accessible for the “browser” user, craft valid session cookies, decrypt the password for web service, retrieve SNMP communities or craft a malicious firmware update packet.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:</p>
<p><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Phoenix Contact strongly recommends updating to the latest Firmware Release 4.0.10 or higher, which fixes the above-mentioned vulnerabilities. </p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-018/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-018/</a>
PHOENIX CONTACT: PLCnext Engineer Vulnerabilities in LibGit2Sharp/LibGit22023-08-08T06:00:00+00:002023-07-06T15:09:14+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-016/<h4>VDE-2023-016</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1046008</td><td>PLCnext Engineer</td><td> <= 2023.3</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2019-1387: 8.8 (CVSS:3.1)<br>⠀CVE-2019-1354: 8.8 (CVSS:3.1)<br>⠀CVE-2019-1353: 9.8 (CVSS:3.1)<br>⠀CVE-2019-1352: 8.8 (CVSS:3.1)<br>⠀CVE-2019-1351: 7.5 (CVSS:3.1)<br>⠀CVE-2019-1350: 8.8 (CVSS:3.1)<br>⠀CVE-2019-1349: 8.8 (CVSS:3.1)<br>⠀CVE-2019-1348: 3.3 (CVSS:3.1)<br>⠀CVE-2018-11235: 7.8 (CVSS:3.0)<br>⠀CVE-2022-24765: 7.8 (CVSS:3.1)<br>⠀CVE-2022-29187: 7.8 (CVSS:3.1)<br><h4>Summary</h4><p>Several vulnerabilities have been discovered in the LibGit2Sharp or underlying LibGit2 library.<br>This open-source component is widely used in a lot of products worldwide.<br>The product is vulnerable to remote code execution, privilege escalation and tampering.<br>PLCnext Engineer is using the LibGit2Sharp library to provide version control capabilities.</p><h4>Impact</h4><p>Availability, integrity, or confidentiality of PLCnext Engineer might be compromised by attacks exploiting these vulnerabilities. Specially crafted git configuration files lead to a remote code execution which enables the attacker to elevate privileges and obtain access to the application. The attacker may take over the system, steal data or prevent a system or application from running correctly.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>To mitigate aforementioned vulnerabilities the integrity and authenticity of the git configuration data must be ensured. Otherwise, we kindly advise you to refrain from using the version control feature in version lower than 2023.6</p>
<p><b>Remediation</b></p>
<p>Update PLCnext Engineer to 2023.6.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-016/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-016/</a>
PHOENIX CONTACT: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices2023-08-08T04:00:00+00:002023-07-31T11:14:00+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-017/<h4>VDE-2023-017</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1221706</td><td>CLOUD CLIENT 1101T-TX/TX</td><td> < 2.06.10</td></tr><tr><td>2702886</td><td>TC CLOUD CLIENT 1002-4G</td><td> < 2.07.2</td></tr><tr><td>2702888</td><td>TC CLOUD CLIENT 1002-4G ATT</td><td> < 2.07.2</td></tr><tr><td>2702887</td><td>TC CLOUD CLIENT 1002-4G VZW</td><td> < 2.07.2</td></tr><tr><td>2702528</td><td>TC ROUTER 3002T-4G</td><td> < 2.07.2</td></tr><tr><td>2702533</td><td>TC ROUTER 3002T-4G ATT</td><td> < 2.07.2</td></tr><tr><td>2702532</td><td>TC ROUTER 3002T-4G VZW</td><td> < 2.07.2</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-3526: 9.6 (CVSS:3.1)<br>⠀CVE-2023-3569: 4.9 (CVSS:3.1)<br><h4>Summary</h4><h4>Impact</h4><p>Multiple issues have been identified for the affected devices. Please consult the CVEs for details.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.</p>
<p><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank" title="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-017/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-017/</a>
PHOENIX CONTACT: FL MGUARD affected by two vulnerabilities2023-06-13T06:00:00+00:002023-06-07T07:54:05+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-010/<h4>VDE-2023-010</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1357872</td><td>FL MGUARD 2102</td><td> <= 10.1.1</td></tr><tr><td>1441187</td><td>FL MGUARD 4102 PCI</td><td> <= 10.1.1</td></tr><tr><td>1357842</td><td>FL MGUARD 4102 PCIE</td><td> <= 10.1.1</td></tr><tr><td>1357840</td><td>FL MGUARD 4302</td><td> <= 10.1.1</td></tr><tr><td>2702547</td><td>FL MGUARD CENTERPORT</td><td> <= 8.9.0</td></tr><tr><td>2702820</td><td>FL MGUARD CENTERPORT VPN-1000</td><td> <= 8.9.0</td></tr><tr><td>2702884</td><td>FL MGUARD CORE TX</td><td> <= 8.9.0</td></tr><tr><td>2702831</td><td>FL MGUARD CORE TX VPN</td><td> <= 8.9.0</td></tr><tr><td>2700967</td><td>FL MGUARD DELTA TX/TX</td><td> <= 8.9.0</td></tr><tr><td>2700968</td><td>FL MGUARD DELTA TX/TX VPN</td><td> <= 8.9.0</td></tr><tr><td>2700197</td><td>FL MGUARD GT/GT</td><td> <= 8.9.0</td></tr><tr><td>2700198</td><td>FL MGUARD GT/GT VPN</td><td> <= 8.9.0</td></tr><tr><td>2701274</td><td>FL MGUARD PCI4000</td><td> <= 8.9.0</td></tr><tr><td>2701275</td><td>FL MGUARD PCI4000 VPN</td><td> <= 8.9.0</td></tr><tr><td>2701277</td><td>FL MGUARD PCIE4000</td><td> <= 8.9.0</td></tr><tr><td>2701278</td><td>FL MGUARD PCIE4000 VPN</td><td> <= 8.9.0</td></tr><tr><td>2702139</td><td>FL MGUARD RS2000 TX/TX-B</td><td> <= 8.9.0</td></tr><tr><td>2700642</td><td>FL MGUARD RS2000 TX/TX VPN</td><td> <= 8.9.0</td></tr><tr><td>2701875</td><td>FL MGUARD RS2005 TX VPN</td><td> <= 8.9.0</td></tr><tr><td>2702470</td><td>FL MGUARD RS4000 TX/TX-M</td><td> <= 8.9.0</td></tr><tr><td>2702259</td><td>FL MGUARD RS4000 TX/TX-P</td><td> <= 8.9.0</td></tr><tr><td>2700634</td><td>FL MGUARD RS4000 TX/TX VPN</td><td> <= 8.9.0</td></tr><tr><td>2200515</td><td>FL MGUARD RS4000 TX/TX VPN</td><td> <= 8.9.0</td></tr><tr><td>2701876</td><td>FL MGUARD RS4004 TX/DTX</td><td> <= 8.9.0</td></tr><tr><td>2701877</td><td>FL MGUARD RS4004 TX/DTX VPN</td><td> <= 8.9.0</td></tr><tr><td>2700640</td><td>FL MGUARD SMART2</td><td> <= 8.9.0</td></tr><tr><td>2700639</td><td>FL MGUARD SMART2 VPN</td><td> <= 8.9.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-4304: 5.9 (CVSS:3.1)<br>⠀CVE-2023-2673: 5.8 (CVSS:3.1)<br><h4>Summary</h4><p>The FL MGUARD family of devices is affected by two vulnerabilities.</p>
<p><strong></strong></p><h4>Impact</h4><p><strong>CVE-2022-4304</strong>: The OpenSSL library contains a bug that leads to a timing oracle when RSA based ciphers are used without forward secrecy for network communication. By sending a very large number of trial messages, an attacker can try to achieve a decryption of encrypted network packets. This affects TLS connections to and from the FL MGUARD as well as VPN connections. The highest risk arises from deferred attempts to decrypt pre-recorded network sessions. The throttling feature of the FL MGUARD can impede but not prevent the attack.<br>There is a risk that attackers could decrypt network traffic encrypted by the FL MGUARD device.</p>
<p><strong>CVE-2023-2673</strong>: If a FL MGUARD or TC MGUARD device is operated in static or autodetect stealth mode, UDP packets which are directed to the protected device do not pass the configured MAC filter rules. The issue does not compromise the incoming IPv4 packet filter, which blocks all incoming traffic by default. The issue does not affect multi stealth mode.<br>There is a risk that attackers could send UDP packets to the protected device which should have been filtered out.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<ul>
<li>Do not use RSA based ciphers for encryption of network traffic, use cipher suites with forward secrecy for TLS or IPsec communication and renew vulnerable certificates frequently.</li>
<li>Configure the incoming IPv4 packet filter carefully to protect clients from potentially malicious UDP packets.</li>
</ul>
<p><b>Remediation</b></p>
<p>The vulnerabilities are fixed in firmware versions 8.9.1 and 10.2.0. We strongly recommend all affected FL MGUARD users to upgrade to this or a later version.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-010/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-010/</a>
PHOENIX CONTACT: Directory Traversal Vulnerability in ENERGY AXC PU Web service2023-04-11T08:00:00+00:002023-03-24T10:56:43+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-004/<h4>VDE-2023-004</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1264327</td><td>ENERGY AXC PU</td><td> < V04.15.00.00</td></tr><tr><td>1169323</td><td>Infobox*</td><td> <= V02.02.00.00</td></tr><tr><td>1264328</td><td>SMARTRTU AXC IG</td><td> <= V01.02.00.01</td></tr><tr><td>1110435</td><td>SMARTRTU AXC SG</td><td> <= V01.08.00.02</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-1109: 8.8 (CVSS:3.1)<br><h4>Summary</h4><p>A Directory Traversal Vulnerability enables arbitrary file access in ENERGY AXC PU Web service.<br>An authenticated restricted user of the web frontend can access, read, write and create files throughout the file system using specially crafted URLs via the upload and download functionality of the web service.</p><h4>Impact</h4><p>The vulnerability enables an attacker to gain access to the file system of the devices. This can enable the attacker to compromise the device in terms of availability, integrity and confidentiality.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to Phoenix Contacts application note.<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list of affected products, which fixes this vulnerability.</p>
<table>
<tbody>
<tr>
<td><strong>Article no</strong></td>
<td><strong>Article</strong></td>
<td><strong>Fixed version</strong></td>
</tr>
<tr>
<td>1264327</td>
<td>ENERGY AXC PU</td>
<td style="text-align: center;">V04.15.00.01</td>
</tr>
<tr>
<td>1110435</td>
<td>SMARTRTU AXC SG</td>
<td style="text-align: center;">V01.09.00.00</td>
</tr>
<tr>
<td>1264328</td>
<td>SMARTRTU AXC IG</td>
<td style="text-align: center;">End of Q3 2023</td>
</tr>
</tbody>
</table>
<p>* As Infobox (1169323) is discontinued no update will be available.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-004/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-004/</a>
PHOENIX CONTACT: Multiple vulnerabilities in ENERGY AXC PU2023-03-14T09:14:24+00:002023-03-14T09:14:44+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-003/<h4>VDE-2023-003</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1264327</td><td>ENERGY AXC PU</td><td> < V04.15.00.00</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-30792: 7.5 (CVSS:3.1)<br>⠀CVE-2022-22515: 8.1 (CVSS:3.1)<br>⠀CVE-2022-22514: 7.1 (CVSS:3.1)<br>⠀CVE-2022-22513: 6.5 (CVSS:3.1)<br>⠀CVE-2022-22517: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple vulnerabilities have been discovered in CODESYS Control V3 runtime system.<br>For details regarding the single vulnerabilities please refer to the security advisories issued by CODESYS:</p>
<ul>
<li>CODESYS Security Advisory 2022-02</li>
<li>CODESYS Security Advisory 2022-04</li>
<li>CODESYS Security Advisory 2022-06</li>
<li>CODESYS Security Advisory 2022-09</li>
</ul><h4>Impact</h4><p>The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. Such products contain communication servers for the CODESYS protocol to enable communication with clients.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to Phoenix Contacts application note.<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list of affected products, which fixes this vulnerability.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-003/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-003/</a>
PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT2023-03-07T07:00:00+00:002023-02-28T06:46:41+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-053/<h4>VDE-2022-053</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1234355</td><td>CLOUD CLIENT 2002T-4G EU</td><td> < 4.5.73.107</td></tr><tr><td>1234360</td><td>CLOUD CLIENT 2002T-WLAN</td><td> < 4.5.73.107</td></tr><tr><td>1234357</td><td>CLOUD CLIENT 2102T-4G EU WLAN</td><td> < 4.5.73.107</td></tr><tr><td>1234352</td><td>TC ROUTER 4002T-4G EU</td><td> < 4.5.72.107</td></tr><tr><td>1234353</td><td>TC ROUTER 4102T-4G EU WLAN</td><td> < 4.5.72.107</td></tr><tr><td>1234354</td><td>TC ROUTER 4202T-4G EU WLAN</td><td> < 4.5.72.107</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-0861: 8.8 (CVSS:3.1)<br>⠀CVE-2023-0862: 8.8 (CVSS:3.1)<br><h4>Summary</h4><p>Two Vulnerabilities have been discovered in TC ROUTER 4000 series and CLOUD CLIENT 2000 series up to firmware version 4.5.7x.107.</p>
<p>The web administration interface is vulnerable for authenticated admin users to path traversals, which could lead to arbitrary file uploads or deletion. Unvalidated user input also enables execution of OS commands.</p><h4>Impact</h4><p>The web interface is available only after authentication. An authorized admin user could use these vulnerabilities to execute arbitrary commands, upload arbitrary files or delete files from the device. This may lead to the device no longer functioning properly.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-053/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-053/</a>
PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware2023-02-14T07:50:06+00:002023-02-14T07:50:53+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2023-001/<h4>VDE-2023-001</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1151412</td><td>AXC F 1152</td><td> < 2023.0.0 LTS</td></tr><tr><td>2404267</td><td>AXC F 2152</td><td> < 2023.0.0 LTS</td></tr><tr><td>1069208</td><td>AXC F 3152</td><td> < 2023.0.0 LTS</td></tr><tr><td>1246285</td><td>BPC 9102S</td><td> < 2023.0.0 LTS</td></tr><tr><td>1136419</td><td>RFC 4072R</td><td> < 2023.0.0 LTS</td></tr><tr><td>1051328</td><td>RFC 4072S</td><td> < 2023.0.0 LTS</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-30065: 7.8 (CVSS:3.1)<br>⠀CVE-2022-40674: 9.8 (CVSS:3.1)<br>⠀CVE-2022-35252: 3.7 (CVSS:3.1)<br>⠀CVE-2022-43680: 7.5 (CVSS:3.1)<br>⠀CVE-2022-42916: 7.5 (CVSS:3.1)<br>⠀CVE-2022-1664: 9.8 (CVSS:3.1)<br>⠀CVE-2022-1304: 7.8 (CVSS:3.1)<br>⠀CVE-2022-29187: 7.8 (CVSS:3.1)<br>⠀CVE-2022-39260: 8.8 (CVSS:3.1)<br>⠀CVE-2022-39253: 5.5 (CVSS:3.1)<br>⠀CVE-2022-42915: 9.8 (CVSS:3.1)<br>⠀CVE-2022-2509: 7.5 (CVSS:3.1)<br>⠀CVE-2021-46828: 7.5 (CVSS:3.1)<br>⠀CVE-2022-40304: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1015: 6.6 (CVSS:3.1)<br>⠀CVE-2022-1016: 5.5 (CVSS:3.1)<br>⠀CVE-2022-1348: 6.5 (CVSS:3.1)<br>⠀CVE-2022-2097: 5.3 (CVSS:3.1)<br>⠀CVE-2022-42919: 7.8 (CVSS:3.1)<br>⠀CVE-2002-20001: 7.5 (CVSS:3.1)<br>⠀CVE-2022-40617: 7.5 (CVSS:3.1)<br>⠀CVE-2022-43995: 7.1 (CVSS:3.1)<br>⠀CVE-2022-2522: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2571: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2580: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2581: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2598: 5.5 (CVSS:3.1)<br>⠀CVE-2022-3234: 7.8 (CVSS:3.1)<br>⠀CVE-2022-3235: 7.8 (CVSS:3.1)<br>⠀CVE-2022-32207: 9.8 (CVSS:3.1)<br>⠀CVE-2022-3256: 7.8 (CVSS:3.1)<br>⠀CVE-2022-32206: 6.5 (CVSS:3.1)<br>⠀CVE-2022-3278: 5.5 (CVSS:3.1)<br>⠀CVE-2022-32208: 5.9 (CVSS:3.1)<br>⠀CVE-2022-3296: 7.8 (CVSS:3.1)<br>⠀CVE-2022-32205: 4.3 (CVSS:3.1)<br>⠀CVE-2022-3297: 7.8 (CVSS:3.1)<br>⠀CVE-2022-3324: 7.8 (CVSS:3.1)<br>⠀CVE-2022-3352: 7.8 (CVSS:3.1)<br>⠀CVE-2022-3705: 7.5 (CVSS:3.1)<br>⠀CVE-2022-37434: 9.8 (CVSS:3.1)<br>⠀CVE-2022-1927: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1942: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2129: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2175: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2182: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2183: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2343: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2207: 9.8 (CVSS:3.1)<br>⠀CVE-2022-2210: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2344: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2304: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2345: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2208: 5.5 (CVSS:3.1)<br>⠀CVE-2022-2231: 5.5 (CVSS:3.1)<br>⠀CVE-2022-2287: 7.1 (CVSS:3.1)<br>⠀CVE-2022-2285: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2284: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2286: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2289: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2288: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2264: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2206: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2257: 7.8 (CVSS:3.1)<br><h4>Summary</h4><p>A new LTS Firmware release fixes known vulnerabilities in used open-source libraries.</p>
<p>In addition, the following improvements have been implemented:</p>
<p><strong>HMI</strong></p>
<p>- Hardening against DoS attacks. <br>- Hardening against memory leak problems in case of network attacks.</p>
<p><strong>WBM</strong></p>
<p>- Umlauts in the password of the “User Manager” were not handled correctly. The password rule for upper and lower case was not followed. This could lead to unintentionally weaker passwords.<br>- Hardening of WBM against Cross-Site-Scripting.</p>
<p><strong>User Manager</strong></p>
<p>- In security notifications “SecurityToken” was always displayed as “0000000” when creating or modifying users.<br>- Hardening of Trust and Identity Stores.</p><h4>Impact</h4><p><em>Please consult the CVE entries listed above.</em></p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:</p>
<p><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<p>Update to the latest 2023.0.0 LTS Firmware Release.</p>
<p><span>PHOENIX CONTACT</span> recommends to always use an up-to-date version of the PLCnext Engineer.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2023-001/" target=_new>https://cert.vde.com/en/advisories/VDE-2023-001/</a>
PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities2022-12-13T07:00:00+00:002022-12-13T07:13:52+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-058/<h4>VDE-2022-058</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1175941</td><td>PROFINET SDK</td><td> <= 6.6</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-40674: 9.8 (CVSS:3.1)<br>⠀CVE-2022-43680: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>Two vulnerabilities have been discovered in the Expat XML parser library (aka libexpat). This open-source component is widely used in a lot of products worldwide. An attacker could cause a program to crash, use unexpected values or execute code by exploiting these use-after-free vulnerabilities.</p>
<p>Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).</p><h4>Impact</h4><p>Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack might<br>be compromised by attacks exploit these vulnerabilities.</p>
<p>Depending on the instantiation and timing of the defect, using previously freed memory might result in a variety of negative effects, from the corruption of valid data to the execution of arbitrary code. In the default installation a vulnerable libexpat is present, but it may have been replaced in the toolchain itself.</p><h4>Solution</h4><p><b>Temporary Fix / Mitigation</b></p>
<p>We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.</p>
<p>For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:</p>
<p><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><b>Remediation</b></p>
<ol>
<li>Update configuration tool chains to libexpat library version 2.4.9. or higher</li>
<li>Upgrade to PROFINET SDK 6.7 or higher if necessary.</li>
</ol>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-058/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-058/</a>
PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family2022-11-15T09:27:53+00:002022-11-15T09:27:57+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-051/<h4>VDE-2022-051</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>2702547</td><td>FL MGUARD CENTERPORT</td><td> < 8.9.0</td></tr><tr><td>2702820</td><td>FL MGUARD CENTERPORT VPN-1000</td><td> < 8.9.0</td></tr><tr><td>2702884</td><td>FL MGUARD CORE TX</td><td> < 8.9.0</td></tr><tr><td>2702831</td><td>FL MGUARD CORE TX VPN</td><td> < 8.9.0</td></tr><tr><td>2700967</td><td>FL MGUARD DELTA TX/TX</td><td> < 8.9.0</td></tr><tr><td>2700968</td><td>FL MGUARD DELTA TX/TX VPN</td><td> < 8.9.0</td></tr><tr><td>2700197</td><td>FL MGUARD GT/GT</td><td> < 8.9.0</td></tr><tr><td>2700198</td><td>FL MGUARD GT/GT VPN</td><td> < 8.9.0</td></tr><tr><td>2701274</td><td>FL MGUARD PCI4000</td><td> < 8.9.0</td></tr><tr><td>2701275</td><td>FL MGUARD PCI4000 VPN</td><td> < 8.9.0</td></tr><tr><td>2701277</td><td>FL MGUARD PCIE4000</td><td> < 8.9.0</td></tr><tr><td>2701278</td><td>FL MGUARD PCIE4000 VPN</td><td> < 8.9.0</td></tr><tr><td>2702139</td><td>FL MGUARD RS2000 TX/TX-B</td><td> < 8.9.0</td></tr><tr><td>2700642</td><td>FL MGUARD RS2000 TX/TX VPN</td><td> < 8.9.0</td></tr><tr><td>2701875</td><td>FL MGUARD RS2005 TX VPN</td><td> < 8.9.0</td></tr><tr><td>2700634</td><td>FL MGUARD RS4000 TX/TX</td><td> < 8.9.0</td></tr><tr><td>2702470</td><td>FL MGUARD RS4000 TX/TX-M</td><td> < 8.9.0</td></tr><tr><td>2702259</td><td>FL MGUARD RS4000 TX/TX-P</td><td> < 8.9.0</td></tr><tr><td>2200515</td><td>FL MGUARD RS4000 TX/TX VPN</td><td> < 8.9.0</td></tr><tr><td>2701876</td><td>FL MGUARD RS4004 TX/DTX</td><td> < 8.9.0</td></tr><tr><td>2701877</td><td>FL MGUARD RS4004 TX/DTX VPN</td><td> < 8.9.0</td></tr><tr><td>2700640</td><td>FL MGUARD SMART2</td><td> < 8.9.0</td></tr><tr><td>2700639</td><td>FL MGUARD SMART2 VPN</td><td> < 8.9.0</td></tr><tr><td>2903441</td><td>TC MGUARD RS2000 3G VPN</td><td> < 8.9.0</td></tr><tr><td>1010464</td><td>TC MGUARD RS2000 4G ATT VPN</td><td> < 8.9.0</td></tr><tr><td>2903588</td><td>TC MGUARD RS2000 4G VPN</td><td> < 8.9.0</td></tr><tr><td>1010462</td><td>TC MGUARD RS2000 4G VZW VPN</td><td> < 8.9.0</td></tr><tr><td>2903440</td><td>TC MGUARD RS4000 3G VPN</td><td> < 8.9.0</td></tr><tr><td>1010463</td><td>TC MGUARD RS4000 4G ATT VPN</td><td> < 8.9.0</td></tr><tr><td>2903586</td><td>TC MGUARD RS4000 4G VPN</td><td> < 8.9.0</td></tr><tr><td>1010461</td><td>TC MGUARD RS4000 4G VZW VPN</td><td> < 8.9.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-3480: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>A denial of service of the HTTPS management interface of PHOENIX CONTACT FL MGUARD and TC MGUARD devices can be triggered by a larger number of unauthenticated HTTPS connections originating from different source IP’s. Configuring firewall limits for incoming connections cannot prevent the issue.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Don’t allow access to the HTTPS management interface from untrusted networks.<br>In the default configuration, the access is only allowed from internal interfaces.</p>
<p><b>Remediation</b></p>
<p>The vulnerability is fixed in firmware version 8.9.0. We strongly recommend all affected users to upgrade to this or a later version.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-051/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-051/</a>
PHOENIX CONTACT: Automationworx BCP File Parsing Vulnerabilities (Update A)2022-11-15T09:25:35+00:002022-11-15T09:26:17+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-048/<h4>VDE-2022-048</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>-</td><td>Config+</td><td>1.0 <= 1.89</td></tr><tr><td>-</td><td>PC Worx</td><td>1.0 <= 1.89</td></tr><tr><td>-</td><td>PC Worx Express</td><td>1.0 <= 1.89</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-3461: 7.8 (CVSS:3.1)<br>⠀CVE-2022-3737: 7.8 (CVSS:3.1)<br><h4>Summary</h4><p>Manipulated PC Worx or Config+ files could lead to a heap buffer overflow, release of unallocated memory or a read access violation due to insufficient validation of input data.<br>The attacker needs to get access to an original bus configuration file (*.bcp) to be able to manipulate data inside. After manipulation the attacker needs to exchange the original file by the manipulated one on the application programming workstation.</p>
<p><strong>Update A, 2022-11-14</strong></p>
<ul>
<li>removed the sentence "<em>Automated systems in operation which were programmed with one of the above-mentioned products are not affected.</em>" from Impact.</li>
</ul><h4>Impact</h4><p>Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.</p>
<p><b>Remediation</b></p>
<p>With the next version of Automationworx Software Suite an already implemented remediation measure needs to be corrected to prevent the release of unallocated memory.<br>To prevent the read access violation the validation of the input data will be improved.</p>
<p><strong><span lang="EN-GB">We strongly recommend customers to upgrade to Automation Worx Software Suite > 1.89.</span></strong></p>
<p><span lang="EN-GB"></span></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-048/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-048/</a>
PHOENIX CONTACT: Multiple Linux component vulnerabilities in PLCnext Firmware (Update A)2022-10-11T06:00:00+00:002022-11-24T07:51:02+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-046/<h4>VDE-2022-046</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>1151412</td><td>AXC F 1152</td><td> < 2022.0.8 LTS</td></tr><tr><td>2404267</td><td>AXC F 2152</td><td> < 2022.0.8 LTS</td></tr><tr><td>1069208</td><td>AXC F 3152</td><td> < 2022.0.8 LTS</td></tr><tr><td>1246285</td><td>BPC 9102S</td><td> < 2022.0.8 LTS</td></tr><tr><td>1264327</td><td>ENERGY AXC PU</td><td> < V04.14.00.00</td></tr><tr><td>1185416</td><td>EPC 1502</td><td> < 2022.0.7 LTS</td></tr><tr><td>1185423</td><td>EPC 1522</td><td> < 2022.0.7 LTS</td></tr><tr><td>1051328</td><td>RFC 4072S</td><td> < 2022.0.8 LTS</td></tr><tr><td>1110435</td><td>SMARTRTU AXC SG</td><td> < V01.09.00.00</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-29824: 6.5 (CVSS:3.1)<br>⠀CVE-2022-23308: 7.5 (CVSS:3.1)<br>⠀CVE-2022-28391: 8.8 (CVSS:3.1)<br>⠀CVE-2022-0547: 9.8 (CVSS:3.1)<br>⠀CVE-2022-1381: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1420: 5.5 (CVSS:3.1)<br>⠀CVE-2022-1733: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1796: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1621: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1616: 7.8 (CVSS:3.1)<br>⠀CVE-2022-25313: 6.5 (CVSS:3.1)<br>⠀CVE-2021-45117: 6.5 (CVSS:3.1)<br>⠀CVE-2022-1619: 7.8 (CVSS:3.1)<br>⠀CVE-2022-25235: 9.8 (CVSS:3.1)<br>⠀CVE-2022-25236: 9.8 (CVSS:3.1)<br>⠀CVE-2022-1629: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1735: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1769: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1785: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1620: 7.5 (CVSS:3.1)<br>⠀CVE-2022-1674: 5.5 (CVSS:3.1)<br>⠀CVE-2022-1771: 5.5 (CVSS:3.1)<br>⠀CVE-2022-1886: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1851: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1898: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1720: 7.8 (CVSS:3.1)<br>⠀CVE-2018-25032: 7.5 (CVSS:3.1)<br>⠀CVE-2022-22576: 8.1 (CVSS:3.1)<br>⠀CVE-2022-27778: 8.1 (CVSS:3.1)<br>⠀CVE-2022-27779: 5.3 (CVSS:3.1)<br>⠀CVE-2022-27782: 7.5 (CVSS:3.1)<br>⠀CVE-2022-27774: 5.7 (CVSS:3.1)<br>⠀CVE-2022-25314: 7.5 (CVSS:3.1)<br>⠀CVE-2022-25315: 9.8 (CVSS:3.1)<br>⠀CVE-2022-27776: 6.5 (CVSS:3.1)<br>⠀CVE-2022-30115: 4.3 (CVSS:3.1)<br>⠀CVE-2022-27780: 7.5 (CVSS:3.1)<br>⠀CVE-2022-27781: 7.5 (CVSS:3.1)<br>⠀CVE-2022-27775: 7.5 (CVSS:3.1)<br>⠀CVE-2022-32207: 9.8 (CVSS:3.1)<br>⠀CVE-2022-32206: 6.5 (CVSS:3.1)<br>⠀CVE-2022-32208: 5.9 (CVSS:3.1)<br>⠀CVE-2022-32205: 4.3 (CVSS:3.1)<br>⠀CVE-2019-19906: 7.5 (CVSS:3.1)<br>⠀CVE-2022-24407: 8.8 (CVSS:3.1)<br>⠀CVE-2022-1154: 7.8 (CVSS:3.1)<br>⠀CVE-2022-0943: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1160: 7.8 (CVSS:3.1)<br>⠀CVE-2022-0729: 8.8 (CVSS:3.1)<br>⠀CVE-2022-0572: 7.8 (CVSS:3.1)<br>⠀CVE-2022-0696: 5.5 (CVSS:3.1)<br>⠀CVE-2022-0685: 7.8 (CVSS:3.1)<br>⠀CVE-2022-0714: 5.5 (CVSS:3.1)<br>⠀CVE-2022-0361: 7.8 (CVSS:3.1)<br>⠀CVE-2022-0368: 7.8 (CVSS:3.1)<br>⠀CVE-2021-3973: 7.8 (CVSS:3.1)<br>⠀CVE-2021-3796: 7.3 (CVSS:3.1)<br>⠀CVE-2021-4166: 7.1 (CVSS:3.1)<br>⠀CVE-2022-1927: 7.8 (CVSS:3.1)<br>⠀CVE-2022-1942: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2129: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2175: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2182: 7.8 (CVSS:3.1)<br>⠀CVE-2022-0778: 7.5 (CVSS:3.1)<br>⠀CVE-2022-2183: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2343: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2207: 9.8 (CVSS:3.1)<br>⠀CVE-2022-2210: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2344: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2345: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2208: 5.5 (CVSS:3.1)<br>⠀CVE-2022-2231: 5.5 (CVSS:3.1)<br>⠀CVE-2022-2287: 7.1 (CVSS:3.1)<br>⠀CVE-2022-2285: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2284: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2286: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2289: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2288: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2264: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2206: 7.8 (CVSS:3.1)<br>⠀CVE-2022-2257: 7.8 (CVSS:3.1)<br>⠀CVE-2022-29862: 7.5 (CVSS:3.1)<br>⠀CVE-2022-29864: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p><em><strong>UPDATE A: </strong></em>Two devices (ENERGY AXC PU, SMARTRTU AXC SG) added (24.11.2022)</p>
<p>Update for PLCnext Firmware containing fixes for recent vulnerability findings in Linux components and security enhancements.</p>
<p>PLCnext Control AXC F x152 is certified according to IEC 62443-4-1 and IEC 62443-4-2. This certification requires that all third-party components used in the firmware are regularly checked for known vulnerabilities.</p><h4>Impact</h4><p>Availability, integrity, or confidentiality of the PLCnext Control might be compromised by attacks using these vulnerabilities.</p><h4>Solution</h4><p><strong>Temporary Fix / Mitigation</strong></p>
<p>Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:<br><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">Measures to protect network-capable devices with Ethernet connection</a></p>
<p><strong>Remediation</strong></p>
<p>Update to the latest LTS Firmware Release.<br>Update to the latest LTS PLCnext Engineer Release.<br>Please check <a href="https://phoenixcontact.com/psirt" target="_blank">Phoenix Contact PSIRT webpage</a> for further Updates of this Advisory.</p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-046/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-046/</a>
PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool2022-06-21T05:18:57+00:002022-06-21T05:18:59+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-028/<h4>VDE-2022-028</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MULTIPROG</td><td> all versions</td></tr><tr><td></td><td>ProConOS</td><td> all versions</td></tr><tr><td></td><td>ProConOS eCLR</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2014-9195: 7.5 (CVSS:2.0)<br><h4>Summary</h4><p>ProConOS/ProConOS eCLR designed for use in closed industrial networks provide communication protocols without authentication.</p>
<p>Please also refer the original ICS-CERT advisory <a href="https://www.cisa.gov/uscert/ics/advisories/ICSA-15-013-03">ICSA-15-013-03</a> published 13 January 2015.</p><h4>Impact</h4><p>The identified vulnerability allows for unauthenticated users to modify programs in some controllers that are utilizing ProConOS/ProConOS eCLR and MULTIPROG products. Attackers who reengineer the communication protocols and have network or physical controller access can exploit this vulnerability. This vulnerability affects all versions of ProConOS/ProConOS eCLR and MULTIPROG from Phoenix Contact Software (formerly KW-Software).</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Manufacturers using ProConOS/ProConOS eCLR in their automation devices are advised to check their implementation and may publish an advisory according to their product.</p>
<p>Users of automation devices utilizing ProConOS/ProConOS eCLR in their automation systems may check if their application requires additional security measures like an adequate defense– in-depth networking architecture, the use of virtual private networks (VPNs) for remote access, as well as the use of firewalls for network segmentation or controller isolation. Users should check their manufacturers security advisories for more adequate information according to their dedicated device.</p>
<p><span>Generic information and recommendations for security measures to protect network-capable</span><br><span>devices can be found in the<span> </span></span><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">application note</a>.</p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-028/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-028/</a>
PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool2022-06-21T05:16:21+00:002022-06-21T05:16:25+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-026/<h4>VDE-2022-026</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>MULTIPROG</td><td> all versions</td></tr><tr><td></td><td>ProConOS</td><td> all versions</td></tr><tr><td></td><td>ProConOS eCLR</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-31801: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>ProConOS/ProConOS eCLR insufficiently verifies uploaded data.</p><h4>Impact</h4><p>The identified vulnerability allows attackers uploading logic with arbitrary malicious code once<br>having access to the communication to products that are utilizing ProConOS/ProConOS eCLR.<br>Attackers must have network or physical controller access to exploit this vulnerability. This<br>vulnerability affects all versions of ProConOS/ProConOS eCLR and MULTIPROG from Phoenix<br>Contact Software (formerly KW-Software).</p><h4>Solution</h4><p><b>Mitigation</b></p>
<p>Manufacturers using ProConOS/ProConOS eCLR in their automation devices are advised to<br>check their implementation and may publish an advisory according to their product.</p>
<p>Users of automation devices utilizing ProConOS/ProConOS eCLR in their automation systems<br>may check if their application requires additional security measures like an adequate defense–<br>in-depth networking architecture, the use of virtual private networks (VPNs) for remote access,<br>as well as the use of firewalls for network segmentation or controller isolation.</p>
<p>Users should check their manufacturers security advisories for more adequate information<br>according to their dedicated device.</p>
<p>Users should ensure that the logic is always transferred or stored in protected environments.<br>This is valid for data in transmission as well as data in rest. Connections between the<br>Engineering Tools and the controller must always be in a locally protected environment or<br>protected by VPN for remote access. Project data shouldn’t send as a file via e-mail or other<br>transfer mechanisms without additional integrity and authenticity checks.<br>Project data should save in protected environments only.</p>
<p>Generic information and recommendations for security measures to protect network-capable<br>devices can be found in the <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">application note</a>.</p>
<p><b>Remediation</b></p>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-026/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-026/</a>
PHOENIX CONTACT: Vulnerability in classic line industrial controllers2022-06-21T05:15:38+00:002022-06-21T05:15:40+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2022-025/<h4>VDE-2022-025</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>AXC 1050</td><td> all versions</td></tr><tr><td>2701295</td><td>AXC 1050 XC</td><td> all versions</td></tr><tr><td>2700989</td><td>AXC 3050</td><td> all versions</td></tr><tr><td>2730844</td><td>FC 350 PCI ETH</td><td> all versions</td></tr><tr><td></td><td>ILC1x0</td><td> all versions</td></tr><tr><td></td><td>ILC1x1</td><td> all versions</td></tr><tr><td>2700977</td><td>ILC 1x1 GSM/GPRS</td><td> all versions</td></tr><tr><td></td><td>ILC 3xx</td><td> all versions</td></tr><tr><td>2700291</td><td>PC WORX RT BASIC</td><td> all versions</td></tr><tr><td>2701680</td><td>PC WORX SRT</td><td> all versions</td></tr><tr><td>2730190</td><td>RFC 430 ETH-IB</td><td> all versions</td></tr><tr><td>2730200</td><td>RFC 450 ETH-IB</td><td> all versions</td></tr><tr><td>2700784</td><td>RFC 460R PN 3TX</td><td> all versions</td></tr><tr><td>1096407</td><td>RFC 460R PN 3TX-S</td><td> all versions</td></tr><tr><td>2916600</td><td>RFC 470 PN 3TX</td><td> all versions</td></tr><tr><td>2916794</td><td>RFC 470S PN 3TX</td><td> all versions</td></tr><tr><td>2404577</td><td>RFC 480S PN 4TX</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-31800: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>The affected devices <span>insufficiently verify uploaded data.</span></p><h4>Impact</h4><div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p><span>An attacker capable of either transmitting manipulated logic or manipulating legitimate logic can execute arbitrary malicious code on the device. </span></p>
</div>
</div>
</div><h4>Solution</h4><p><b>Mitigation</b></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>Phoenix Contact classic line controllers are designed and developed for the use in closed industrial networks. The controller do</span><span>esn’t </span><span>feature logic integrity and authenticity checks by design. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.</span></p>
<div class="page" title="Page 3">
<div class="layoutArea">
<div class="column">
<p><span>Customers using Phoenix Contact classic line controllers are recommended to operate the devices in closed networks or protected with a suitable firewall as intended. </span></p>
</div>
</div>
</div>
<p>Generic information and recommendations for security measures to protect network-capable<br>devices can be found in the<span> </span><a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf" target="_blank">application note</a>.</p>
<p><span></span></p>
</div>
</div>
</div><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2022-025/" target=_new>https://cert.vde.com/en/advisories/VDE-2022-025/</a>
PHOENIX CONTACT: Security Advisory for multiple Industrial Controllers (Update A)2022-06-21T05:14:41+00:002022-06-21T05:14:43+00:00CERTVDEhttps://cert.vde.com/en/advisories/author/certuser/https://cert.vde.com/en/advisories/VDE-2019-015/<h4>VDE-2019-015</h4>
<h4>Vendor(s)</h4>PHOENIX CONTACT GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td>2700988</td><td>AXC 1050</td><td> all versions</td></tr><tr><td>2701295</td><td>AXC 1050 XC</td><td> all versions</td></tr><tr><td>2700989</td><td>AXC 3050</td><td> all versions</td></tr><tr><td>2730844</td><td>FC 350 PCI ETH</td><td> all versions</td></tr><tr><td></td><td>ILC1x0</td><td> all versions</td></tr><tr><td></td><td>ILC1x1</td><td> all versions</td></tr><tr><td>2700977</td><td>ILC 1x1 GSM/GPRS</td><td> all versions</td></tr><tr><td>2700291</td><td>PC WORX RT BASIC</td><td> all versions</td></tr><tr><td>2701680</td><td>PC WORX SRT</td><td> all versions</td></tr><tr><td>2730190</td><td>RFC 430 ETH-IB</td><td> all versions</td></tr><tr><td>2730200</td><td>RFC 450 ETH-IB</td><td> all versions</td></tr><tr><td>2700784</td><td>RFC 460R PN 3TX</td><td> all versions</td></tr><tr><td>1096407</td><td>RFC 460R PN 3TX-S</td><td> all versions</td></tr><tr><td>2916600</td><td>RFC 470 PN 3TX</td><td> all versions</td></tr><tr><td>2916794</td><td>RFC 470S PN 3TX</td><td> all versions</td></tr><tr><td>2404577</td><td>RFC 480S PN 4TX</td><td> all versions</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2019-9201: 9.8 (CVSS:3.0)<br><h4>Summary</h4><p>Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families as well as the AXIOLINE controllers AXC1050 and AXC3050) are developed and designed for the use in closed industrial networks. The communication protocols used for device management and configuration do not feature authentication measures.</p>
<p><strong>Update A, 2022-06-21</strong></p>
<p>This updated version contains additional affected products.<br>In addition, a new application note for classic line controllers had been published to make it easier for our customers to find out the actions how to disable the unauthorized communication ports instead of checking out each controller’s manual.</p><h4>Impact</h4><p>If the above-mentioned controllers are used in an unprotected open network, an unauthorized attacker can change or download the device code/configuration, start or stop services, update or modify the firmware or shutdown the device.</p><h4>Solution</h4><p><b>Mitigation</b></p>
<div class="page" title="Page 3">
<div class="section">
<div class="layoutArea">
<div class="column">
<p><span>Customers using Phoenix Contact classic line controllers are recommended to operate the devices in closed networks or protected with a suitable firewall as intended. </span></p>
</div>
</div>
</div>
<div class="layoutArea">
<div class="column">
<p><span>For detailed information on our recommendations for measures to protect network-capable devices, please refer to our <a href="https://dam-mdc.phoenixcontact.com/asset/156443151564/74777de2d270be4cb4828ee57173dbd0/Application-note_110637_en_00.pdf" target="_blank">application note</a> for classic line controllers.</span></p>
<p><span>If the use of an affected controller in protected zones is not suitable OT communication protocols should be disabled. Either by using the CPU services via console or Web-based Management according to the controller type.<br>Information’s for which controllers and from which firmware version communication protocols can be disabled are described in our application note for classic line controllers or the manual to the respective controller which is available for download at the Phoenix Contact website.</span></p>
<p><span>Controller supporting CPU services or WBM for disabling communication protocols:</span></p>
<table height="221" width="581">
<tbody>
<tr>
<td>Article</td>
<td>Article Number</td>
<td>Minimum firmware version</td>
</tr>
<tr>
<td>ILC 1x0</td>
<td>All variants</td>
<td>not possible</td>
</tr>
<tr>
<td>ILC 1x1</td>
<td>All variants</td>
<td>>= FW 4.42</td>
</tr>
<tr>
<td>ILC 1x1 GSM/GPRS</td>
<td>2700977</td>
<td><span>>= FW 4.42</span></td>
</tr>
<tr>
<td>ILC 3xx</td>
<td>All variants</td>
<td>FW 3.98</td>
</tr>
<tr>
<td>AXC 1050</td>
<td>2700988</td>
<td>>= FW 3.01, FW 5.00 (WBM)</td>
</tr>
<tr>
<td>AXC 1050 XC</td>
<td>2701295</td>
<td><span>>= FW 3.01, FW 5.00 (WBM)</span></td>
</tr>
<tr>
<td>AXC 3050</td>
<td>2700989</td>
<td><span>>= FW 5.60, FW 6.30 (WBM)</span></td>
</tr>
<tr>
<td>RFC 480S PN 4TX</td>
<td>2404577</td>
<td>FW 6.10</td>
</tr>
<tr>
<td>RFC 470 PN 3TX</td>
<td>2916600</td>
<td>>= FW 4.20</td>
</tr>
<tr>
<td>RFC 470S PN 3TX</td>
<td>2916794</td>
<td><span>>= FW 4.20</span></td>
</tr>
<tr>
<td><span>RFC 460R PN 3TX</span></td>
<td>2700784</td>
<td>>= FW 5.00</td>
</tr>
<tr>
<td>RFC 460R PN 3TX-S</td>
<td>1096407</td>
<td>FW 5.30</td>
</tr>
<tr>
<td>RFC 430 ETH-IB</td>
<td>2730190</td>
<td>not possible</td>
</tr>
<tr>
<td>RFC 450 ETH-IB</td>
<td>2730200</td>
<td><span>not possible</span></td>
</tr>
<tr>
<td>PC WORX SRT</td>
<td>2701680</td>
<td><span>not possible</span></td>
</tr>
<tr>
<td>PC WORX RT BASIC</td>
<td>2700291</td>
<td><span>not possible</span></td>
</tr>
<tr>
<td>FC 350 PCI ETH</td>
<td>2730844</td>
<td><span>not possible</span></td>
</tr>
</tbody>
</table>
<p><span></span></p>
</div>
</div>
</div><p><h4>URL</h4><a href="https://cert.vde.com/en/advisories/VDE-2019-015/" target=_new>https://cert.vde.com/en/advisories/VDE-2019-015/</a>