VDE-2021-025 | CERT@VDE

2021-06-23 14:19 (CEST) VDE-2021-025

PHOENIX CONTACT: Security Advisory for PLCNext, ILC 2050 BI, FL MGUARD DM UNLIMITED, TC ROUTER und CLOUD CLIENT products

Share: Email | Twitter

ID

VDE-2021-025

Published

2021-06-23 14:19 (CEST)

Last update

2021-06-23 14:19 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
1221706	CLOUD CLIENT 1101T-TX/TX	< 2.06.5
1234355	CLOUD CLIENT 2002T-4G EU	<= 4.5.72.100
1234360	CLOUD CLIENT 2002T-WLAN	<= 4.5.72.100
1234357	CLOUD CLIENT 2102T-4G EU WLAN	<= 4.5.72.100
1264327	ENERGY AXC PU	<= V4.10.0.0
2403160	ILC 2050 BI	<= 1.5.1
2404671	ILC 2050 BI-L	<= 1.5.1
1264328	SMARTRTU AXC IG	<= V1.0.0.0
1110435	SMARTRTU AXC SG	<= V1.6.0.1
2702529	TC ROUTER 2002T-3G	< 2.06.5
2702531	TC ROUTER 2002T-3G	< 2.06.5
2702528	TC ROUTER 3002T-4G	< 2.06.5
2702530	TC ROUTER 3002T-4G	< 2.06.5
2702533	TC ROUTER 3002T-4G ATT	< 2.06.5
2702532	TC ROUTER 3002T-4G VZW	< 2.06.5
1234352	TC ROUTER 4002T-4G EU	<= 4.5.72.100
1234353	TC ROUTER 4102T-4G EU WLAN	<= 4.5.72.100
1234354	TC ROUTER 4202T-4G EU WLAN	<= 4.5.72.100

Summary

A Denial of Service and a CA Check Problem have been identified in multiple openSSL 1.1.1 versions, which are utilized in the Phoenix Contact products listed above.

Vulnerabilities

CVE-2021-3450

7.4

Last Update

July 7, 2021, 1:22 p.m.

Severity

7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Weakness

Improper Certificate Validation (CWE-295)

Summary

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

Details

nvd.nist.gov

CVE-2021-3449

5.9

Last Update

July 7, 2021, 1:22 p.m.

Severity

5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

NULL Pointer Dereference (CWE-476)

Summary

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Details

nvd.nist.gov

Impact

Note: ILC 20250 is only affected by CVE-2021-3449

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest firmware mentioned in the list of affected products, which fixes this vulnerability.
A fix for ILC 2050, and some TC ROUTER and CLOUD CLIENT devices will be available end of Q2 2021. This advisory will be updated as soon as the fixes are available for download.

Product number	Product name	Fixed Version
1151412	AXC F 1152	2021.0.5 LTS
2404267	AXC F 2152	2021.0.5 LTS
1069208	AXC F 3152	2021.0.5 LTS
1051328	RFC 4072S	2021.0.5 LTS
1046568	AXC F 2152 Starterkit	2021.0.5 LTS
1188165	PLCnext Technology Starterkit	2021.0.5 LTS
2981974	FL MGUARD DM UNLIMITED	1.13
2702528	TC ROUTER 3002T-4G	2.06.5
2702529	TC ROUTER 2002T-3G	2.06.5
2702530	TC ROUTER 3002T-4G	2.06.5
2702531	TC ROUTER 2002T-3G	2.06.5
2702532	TC ROUTER 3002T-4G VZW	2.06.5
2702533	TC ROUTER 3002T-4G ATT	2.06.5
1221706	CLOUD CLIENT 1101T-TX/TX	2.06.5
1234352	TC ROUTER 4002T-4G EU	End of Q2 2021
1234353	TC ROUTER 4102T-4G EU WLAN
1234354	TC ROUTER 4202T-4G EU WLAN
1234355	CLOUD CLIENT 2002T-4G EU
1234360	CLOUD CLIENT 2002T-WLAN
1234357	CLOUD CLIENT 2102T-4G EU WLAN
2403160	ILC 2050 BI
2404671	ILC 2050 BI-L
1110435	SMARTRTU AXC SG
1264328	SMARTRTU AXC IG
1264327	ENERGY AXC PU

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.