PHOENIX CONTACT: Two Vulnerabilities in Automation Worx Suite

Manipulated PC Worx projects could lead to a remote code execution due to insufficient input
data validation.

The attacker needs to get access to an original PC Worx project to be able to manipulate data
inside the project folder. After manipulation the attacker needs to exchange the original files by
the manipulated ones on the application programming workstation.

Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.

We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.
In addition, we recommend exchanging or storing project files together with a checksum to ensure their integrity.

With the next version of Automation Worx Software Suite a sharpened input data validation with respect to buffer size and description of size and number of objects referenced in a file will be implemented.