Share: Email | Twitter

ID

VDE-2020-023

Published

2020-07-01 10:25 (CEST)

Last update

2020-07-01 10:25 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
PC Worx <= 1.87
PC Worx Express <= 1.87

Summary

Manipulated PC Worx projects could lead to a remote code execution due to insufficient input
data validation.

The attacker needs to get access to an original PC Worx project to be able to manipulate data
inside the project folder. After manipulation the attacker needs to exchange the original files by
the manipulated ones on the application programming workstation.

Vulnerabilities



Last Update
July 3, 2020, 3:34 p.m.
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier can lead to a stack-based overflow. Manipulated PC Worx projects could lead to a remote code execution due to insufficient input data validation.

Last Update
July 3, 2020, 3:34 p.m.
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

mwe file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier is vulnerable to out-of-bounds read remote code execution. Manipulated PC Worx projects could lead to a remote code execution due to insufficient input data validation.

Impact

Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.

Solution

Temporary Fix / Mitigation

We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.
In addition, we recommend exchanging or storing project files together with a checksum to ensure their integrity.

Remediation

With the next version of Automation Worx Software Suite a sharpened input data validation with respect to buffer size and description of size and number of objects referenced in a file will be implemented.

Reported by

ZDI-CAN-10147 was discovered by Natnael Samson working with Trend Micro Zero Day Initiative
ZDI-CAN-10586 was discovered by mdm working with Trend Micro Zero Day Initiative

Phoenix Contact reported the vulnerabilities to CERT@VDE.