Summary
The vulnerability is a Time-of-Check-Time-of-Use (CWE-367) issue which allows an attacker with access to the firmware update file to overwrite it after it has been verified (but before installation is completed), which consequently allows installing an arbitrary firmware update, bypassing the cryptographic signature check mechanism.
Impact
An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 1151412 | AXC F 1152 | Firmware <=2021.0 LTS |
| 2404267 | AXC F 2152 | Firmware <=2021.0 LTS |
| 1046568 | AXC F 2152 Starterkit | Firmware <=2021.0 LTS |
| 1069208 | AXC F 3152 | Firmware <=2021.0 LTS |
| 1139022 | CHARX control modular 3000 | Firmware <=V1.0.11 |
| 1139022 | CHARX control modular 3050 | Firmware <=V1.0.11 |
| 1139012 | CHARX control modular 3100 | Firmware <=V1.0.11 |
| 1138965 | CHARX control modular 3150 | Firmware <=V1.0.11 |
| 1158951 | EEM-SB370-C | Firmware <=2021.02.01 |
| 1158947 | EEM-SB371-C | Firmware <=2021.02.01 |
| 1264327 | ENERGY AXC PU | Firmware <=V4.10.0.0 |
| 1188165 | PLCnext Technology Starterkit | Firmware <=2021.0 LTS |
| 1051328 | RFC 4072S | Firmware <=2021.0 LTS |
| 1264328 | SMARTRTU AXC IG | Firmware <=V1.0.0.0 |
| 1110435 | SMARTRTU AXC SG | Firmware <=V1.6.0.1 |
Vulnerabilities
Expand / Collapse allThe install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Remediation
Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list below, which fixes this vulnerability. For EEM-SB370, EEM-SB371 and CHARX control modular the fix will be available until end of Q3 2021. This advisory will be updated as soon the fix is available.
| Product Number | Product Name | Fixed Version |
|---|---|---|
| 1151412 | AXC F 1152 | 2021.0.5 LTS external link |
| 2404267 | AXC F 2152 | 2021.0.5 LTS external link |
| 1069208 | AXC F 3152 | 2021.0.5 LTS external link |
| 1051328 | RFC 4072S | 2021.0.5 LTS external link |
| 1046568 | AXC F 2152 Starterkit | 2021.0.5 LTS external link |
| 1188165 | PLCnext Technology Starterkit | 2021.0.5 LTS external link |
| 1110435 | SMARTRTU AXC SG | End of Q3 2021 |
| 1264328 | SMARTRTU AXC IG | End of Q3 2021 |
| 1264327 | ENERGY AXC PU | End of Q3 2021 |
| 1158951 | EEM-SB370-C | End of Q3 2021 |
| 1158947 | EEM-SB371-C | End of Q3 2021 |
| 1139022 | CHARX control modular 3000 | End of Q3 2021 |
| 1139022 | CHARX control modular 3050 | End of Q3 2021 |
| 1139012 | CHARX control modular 3100 | End of Q3 2021 |
| 1138965 | CHARX control modular 3150 | End of Q3 2021 |
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05/04/2021 10:17 | Initial revision. |
| 2 | 03/10/2025 10:15 | Update: Provider data has been corrected |
| 3 | 05/14/2025 14:28 | Fix: version space, added distribution |