Share: Email | Twitter

ID

VDE-2023-017

Published

2023-08-08 06:00 (CEST)

Last update

2024-08-12 12:38 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
1221706 CLOUD CLIENT 1101T-TX/TX < 2.06.10
2702886 TC CLOUD CLIENT 1002-4G < 2.07.2
2702888 TC CLOUD CLIENT 1002-4G ATT < 2.07.2
2702887 TC CLOUD CLIENT 1002-4G VZW < 2.07.2
2702528 TC ROUTER 3002T-4G < 2.07.2
2702533 TC ROUTER 3002T-4G ATT < 2.07.2
2702532 TC ROUTER 3002T-4G VZW < 2.07.2

Summary

Two vulnerabilities have been discovered in the firmware of TC ROUTER and TC CLOUD CLIENT devices.

Update A, 2024-08-12

  • Added a summary text
  • Added details to impact

Vulnerabilities



Last Update
Aug. 8, 2023, 8:43 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user's browser.

Last Update
Aug. 8, 2023, 8:43 a.m.
Weakness
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776)
Summary

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial-of-service.

Impact

CVE-2023-3526
An attacker could embed a link on a page controlled by him that includes malicious scripts and points to the license viewer page. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.

CVE-2023-3569
An authenticated attacker could use the file upload function to upload a crafted XML to cause a denial of service.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.

Measures to protect network-capable devices with Ethernet connection

Remediation

Phoenix Contact strongly recommends updating to the latest available firmware version, which fixes these vulnerabilities.

Reported by

These vulnerabilities were discovered by A. Resanovic and S. Stockinger at St. Pölten UAS and coordinated by T. Weber of CyberDanube Security Research.

CERT@VDE coordinated with PHOENIX CONTACT.