| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 2700988 | AXC 1050 | all versions |
| 2701295 | AXC 1050 XC | all versions |
| 2700989 | AXC 3050 | all versions |
| 2730844 | FC 350 PCI ETH | all versions |
| ILC1x0 | all versions | |
| ILC1x1 | all versions | |
| 2700977 | ILC 1x1 GSM/GPRS | all versions |
| 2700291 | PC WORX RT BASIC | all versions |
| 2701680 | PC WORX SRT | all versions |
| 2730190 | RFC 430 ETH-IB | all versions |
| 2730200 | RFC 450 ETH-IB | all versions |
| 2700784 | RFC 460R PN 3TX | all versions |
| 1096407 | RFC 460R PN 3TX-S | all versions |
| 2916600 | RFC 470 PN 3TX | all versions |
| 2916794 | RFC 470S PN 3TX | all versions |
| 2404577 | RFC 480S PN 4TX | all versions |
Phoenix Contact Classic Line industrial controllers (ILC1x0 and ILC1x1 product families as well as the AXIOLINE controllers AXC1050 and AXC3050) are developed and designed for the use in closed industrial networks. The communication protocols used for device management and configuration do not feature authentication measures.
Update A, 2022-06-21
This updated version contains additional affected products.
In addition, a new application note for classic line controllers had been published to make it easier for our customers to find out the actions how to disable the unauthorized communication ports instead of checking out each controller’s manual.
If the above-mentioned controllers are used in an unprotected open network, an unauthorized attacker can change or download the device code/configuration, start or stop services, update or modify the firmware or shutdown the device.
Mitigation
Customers using Phoenix Contact classic line controllers are recommended to operate the devices in closed networks or protected with a suitable firewall as intended.
For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note for classic line controllers.
If the use of an affected controller in protected zones is not suitable OT communication protocols should be disabled. Either by using the CPU services via console or Web-based Management according to the controller type.
Information’s for which controllers and from which firmware version communication protocols can be disabled are described in our application note for classic line controllers or the manual to the respective controller which is available for download at the Phoenix Contact website.
Controller supporting CPU services or WBM for disabling communication protocols:
| Article | Article Number | Minimum firmware version |
| ILC 1x0 | All variants | not possible |
| ILC 1x1 | All variants | >= FW 4.42 |
| ILC 1x1 GSM/GPRS | 2700977 | >= FW 4.42 |
| ILC 3xx | All variants | FW 3.98 |
| AXC 1050 | 2700988 | >= FW 3.01, FW 5.00 (WBM) |
| AXC 1050 XC | 2701295 | >= FW 3.01, FW 5.00 (WBM) |
| AXC 3050 | 2700989 | >= FW 5.60, FW 6.30 (WBM) |
| RFC 480S PN 4TX | 2404577 | FW 6.10 |
| RFC 470 PN 3TX | 2916600 | >= FW 4.20 |
| RFC 470S PN 3TX | 2916794 | >= FW 4.20 |
| RFC 460R PN 3TX | 2700784 | >= FW 5.00 |
| RFC 460R PN 3TX-S | 1096407 | FW 5.30 |
| RFC 430 ETH-IB | 2730190 | not possible |
| RFC 450 ETH-IB | 2730200 | not possible |
| PC WORX SRT | 2701680 | not possible |
| PC WORX RT BASIC | 2700291 | not possible |
| FC 350 PCI ETH | 2730844 | not possible |
This vulnerability was reported by Sergiu Sechel and re-discovered by Forescout.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.