Share: Email | Twitter

ID

VDE-2024-022

Published

2024-08-13 14:00 (CEST)

Last update

2024-08-13 14:30 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
CHARX SEC-3000 < 1.6.3
CHARX SEC-3050 < 1.6.3
CHARX SEC-3100 < 1.6.3
CHARX SEC-3150 < 1.6.3

Summary

Start sequence for firewall service allows attack during the boot process. Password is reset to default when the device undergoes a firmware upgrade.

Vulnerabilities



Last Update
30. August 2024 09:21
Weakness
Initialization of a Resource with an Insecure Default (CWE-1188)
Summary

A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user “user-app” to the default password.

Last Update
30. August 2024 09:21
Weakness
Files or Directories Accessible to External Parties (CWE-552)
Summary

An unauthenticated remote attacker can use this vulnerability to change the device configuration due to a file writeable for short time after system startup.

Impact

These vulnerabilities may allow an attacker within the network to change the device configuration through an unauthenticated internal service before the firewall is started during boot process. The second vulnerability may allow an local attacker to use the firmware update feature to reset the user-app accounts password to the dafault value that is documented in the product documentation. The user "user-app" has limited access rights.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.

Remediation

Phoenix Contact strongly recommends upgrading affected charge controllers to firmware version 1.6.3 or higher which fixes these vulnerabilities.

Reported by

Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:

  • Alex Olson, "gadha" from Trend Micro's Zero Day Initiative for reporting.
  • McCaulay Hudson, Alexander Plaskett from NCC Group for reporting.

CERT@VDE coordinated with Phoenix Contact