Phoenix Contact has new firmware available to mitigate multiple vulnerabilities in its PLCNext AXC F 2152, according to a report with NCCIC.
The remotely exploitable vulnerabilities are key management errors, improper access control, man-in-the-middle, and using component with known vulnerabilities.
Successful exploitation of these vulnerabilities could allow an attacker to decrypt passwords, bypass authentication, and deny service to the device. In addition, these vulnerabilities could interact with third-party vulnerabilities to cause other impacts to integrity, confidentiality, and availability.
The vulnerabilities were discovered by Zahra Khani of Firmalyzer who reported some of these vulnerabilities to NCCIC and the OPC Foundation who reported some of these vulnerabilities to Phoenix Contact.
Phoenix Contact reports these vulnerabilities affect firmware Version 1.x for the following PLCNext AXC F 2152 products:
• AXC F 2152: article number 2404267
• AXC F 2152: article number 1046568 (Starterkit)
In one vulnerability, a remote attacker can exploit a server’s private key by sending carefully constructed UserIdentityTokens encrypted with the Basic128Rsa15 security policy. This could allow an attacker to decrypt passwords even if encrypted with another security policy such as Basic256Sha256.
CVE-2018-7559 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.
In addition, an attacker with physical access to the device can manipulate SD card data, which could allow an attacker to bypass the authentication of the device. This device is designed for use in a protected industrial environment with restricted physical access.
CVE-2019-10998 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.
Also, an attacker trying to connect to the device using a man-in-the-middle setup may crash the PLC service, resulting in a denial of service condition. The device must then be rebooted, or the PLC service must be restarted manually via Linux shell.
CVE-2019-10997 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, this product uses older versions of several open-source software components containing vulnerabilities that may affect availability, integrity, or confidentiality of the AXC F 2152. See the full list of CVE identifiers in CERT VDE advisory number VDE-2019-009. See link in the Mitigations section for additional details.
The product sees use mainly in the commercial facilities sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Phoenix Contact recommends affected users update to firmware release 2019.0 LTS or later, update to PLCNext Engineer release 2019.0 LTS or later, and apply the following specific mitigations below:
• Disable Basic128Rsa15 security policy in OPC Servers configuration. Use only Basic256 or higher.
• Follow the advice concerning SD card usage in the manual “Art.-Nr. 107708: UM EN AXC F 2152 Installing, starting up, and operating the AXC F 2152 controller um_en_axc_f_2152_107708_en_02.pdf.”
• Use the notification manager to monitor SD card exchanges by the application program.
• Subscribe to PSIRT news as updates on the SD card vulnerability will be provided in the future.
Phoenix Contact also recommends users operate the devices in closed networks or environments protected with a suitable firewall. For detailed information on recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note “Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY – Measures to protect network-capable devices with Ethernet connection against unauthorized access.”
For more information, CERT@VDE released a security advisory.