24 June 2019

Vulnerabilities in Phoenix Contact’s Automation Worx Software Suite

Multiple vulnerabilities have been identified in Phoenix Contact’s Automation Worx Software Suite (version 1.86 and earlier). If successfully exploited, these vulnerabilities could lead to remote execution of arbitrary code.

The following software components are affected:

  • PC Worx and PC Worx Express – automation task programming applications;
  • Config+ – a diagnostics and configuration application.

The most dangerous vulnerabilities, for which a CVSS v.3 base score of 7.8 has been calculated, are due to memory access issues: access of uninitialized pointer (CVE-2019-12870) and use after free (CVE-2019-12871). These vulnerabilities can be exploited if the attacker has access to the original PC Worx or Config + project file.

The vendor is currently working on the next version of the software package, in which the newly identified vulnerabilities will be fixed. Until the relevant update is released, Phoenix Contact recommends users exchange project files using only secure file exchange services and avoid exchanging project files via unencrypted email.

Source: ICS-CERT