| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 1151412 | AXC F 1152 | <= 2021.0 LTS |
| 2404267 | AXC F 2152 | <= 2021.0 LTS |
| 1046568 | AXC F 2152 Starterkit | <= 2021.0 LTS |
| 1069208 | AXC F 3152 | <= 2021.0 LTS |
| 1139022 | CHARX control modular 3000 | <= V1.0.11 |
| 1139022 | CHARX control modular 3050 | <= V1.0.11 |
| 1139012 | CHARX control modular 3100 | <= V1.0.11 |
| 1138965 | CHARX control modular 3150 | <= V1.0.11 |
| 1158951 | EEM-SB370-C | <= 2021.02.01 |
| 1158947 | EEM-SB371-C | <= 2021.02.01 |
| 1264327 | ENERGY AXC PU | <= V4.10.0.0 |
| 1188165 | PLCnext Technology Starterkit | <= 2021.0 LTS |
| 1051328 | RFC 4072S | <= 2021.0 LTS |
| 1264328 | SMARTRTU AXC IG | <= V1.0.0.0 |
| 1110435 | SMARTRTU AXC SG | <= V1.6.0.1 |
The vulnerability is a Time-of-Check-Time-of-Use (CWE-367) issue which allows an attacker with access to the firmware update file to overwrite it after it has been verified (but before installation is completed), which consequently allows installing an arbitrary firmware update, bypassing the cryptographic signature check mechanism.
The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
Temporary Fix / Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection
Remediation
Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list below, which fixes this vulnerability.
For EEM-SB370, EEM-SB371 and CHARX control modular the fix will be available until end of Q3 2021. This advisory will be updated as soon the fix is available.
| Product number | Product name | Fixed Version |
| 1151412 | AXC F 1152 | 2021.0.5 LTS |
| 2404267 | AXC F 2152 | 2021.0.5 LTS |
| 1069208 | AXC F 3152 | 2021.0.5 LTS |
| 1051328 | RFC 4072S | 2021.0.5 LTS |
| 1046568 | AXC F 2152 Starterkit | 2021.0.5 LTS |
| 1188165 | PLCnext Technology Starterkit | 2021.0.5 LTS |
| 1110435 | SMARTRTU AXC SG | End of Q3 2021 |
| 1264328 | SMARTRTU AXC IG | |
| 1264327 | ENERGY AXC PU | |
| 1158951 | EEM-SB370-C | |
| 1158947 | EEM-SB371-C | |
| 1139022 | CHARX control modular 3000 | |
| 1139022 | CHARX control modular 3050 | |
| 1139012 | CHARX control modular 3100 | |
| 1138965 | CHARX control modular 3150 |
This vulnerability was discovered and reported to Pengutronix by Vdoo.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.