11 June 2019
Dangerous vulnerabilities identified in Phoenix Contact industrial switches and controllers
Dangerous vulnerabilities have been identified in Phoenix Contact FL NAT SMx industrial swithches and Phoenix Contact PLCNext AXC F 2152 controllers.
Phoenix Contact PLCNext AXC F 2152 is affected by three vulnerabilities:
- CVE-2018-7559 – a key management error vulnerability. It could allow an attacker to decrypt passwords set on the server. The CVSS v.3 base score calculated for this vulnerability is 7.6.
- CVE-2019-10998 – an improper access control vulnerability. It could allow an attacker with physical access to the device to manipulate SD card data and bypass the authentication of the device. This flaw has been assigned a CVSS v.3 base score of 6.8.
- CVE-2019-10997 – a vulnerability that can be used to implement a man-in-the-middle attack and crash the PLC service. Restoring the device to normal operation requires rebooting it or manually restarting the PLC service via Linux shell. A CVSS v.3 base score of 7.5 has been calculated for this vulnerability.
The above vulnerabilities affect firmware versions 1.x for the following products:
- AXC F 2152: article number 2404267
- AXC F 2152: article number 1046568 (Starterkit)
In addition, the above products use older versions of several open-source software components with multiple vulnerabilities, which can affect the availability, integrity or confidentiality of these devices.
To address the above issues, Phoenix Contact recommends updating device firmware to version 2019.0 LTS or later, as well as updating PLCNext Engineer to version 2019.0 LTS or later. The following additional measures should also be taken:
- disable Basic128Rsa15 Security Policy in OPC Server configuration. Use only Basic256 or higher;
- follow recommendations on using the SD card securely, which are provided in the AXC F 2152 controller manual
- use the notification manager to monitor SD card exchanges by the application program.
Phoenix Contact FL NAT SMx is affected by the CVE-2019-9744 vulnerability, which allows an unauthorized user to gain access to the device configuration via the web interface. This attack is only possible if an authorized session is still active on the system. A CVSS v.3 base score of 8.8 has been calculated for this vulnerability.
The issue affects the following models:
- FL NAT SMN 8TX-M (2702443)
- FL NAT SMN 8TX-M-DMG (2989352)
- FL NAT SMN 8TX (2989365)
- FL NAT SMCS 8TX (2989378).
To reduce the security risks associated with the vulnerabilities identified, the vendor recommends protecting devices with firewalls and taking other measures to protect devices from unauthorized access.