Summary
Multiple Vulnerabilities exist in components used by the aforementioned products. See CVE-Details for more information.
Impact
CVE-2017-16544
This Vulnerability could potentially result in code execution, arbitrary file writes, or other attacks.
The impact of this vulnerability on the device is limited because shell access is only possible with administrator privileges.
CVE-2020-9436
An attacker can abuse this vulnerability to compromise the operating system of the device by injecting system commands.
CVE-2020-9435
These attacks could allow an attacker to gain access to sensitive information like admin credentials, configuration parameters or status information and use them in further attacks.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2702886 | TC CLOUD CLIENT 1002-4G | Firmware <=2.03.17 |
| 2702888 | TC CLOUD CLIENT 1002-4G ATT | Firmware <=2.03.17 |
| 2702887 | TC CLOUD CLIENT 1002-4G VZW | Firmware <=2.03.17 |
| 2702885 | TC CLOUD CLIENT 1002-TXTX | Firmware <=1.03.17 |
| 2702531, 2702529 | TC ROUTER 2002T-3G | Firmware <=2.05.3 |
| 2702528, 2702530 | TC ROUTER 3002T-4G | Firmware <=2.05.3 |
| 2702533 | TC ROUTER 3002T-4G ATT | Firmware <=2.05.3 |
| 2702532 | TC ROUTER 3002T-4G VZW | Firmware <=2.05.3 |
Vulnerabilities
Expand / Collapse allIn the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices allow authenticated users to inject system commands through a modified POST request to a specific URL.
PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation.
Mitigation
The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press 'renew' to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.
To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.
Remediation
Phoenix Contact strongly recommended to update affected devices to newest Firmware version
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05.03.2020 16:58 | initial revision |
| 2 | 14.05.2025 14:28 | Fix: removed ia, added distribution, fixed version |