Share: Email | Twitter

ID

VDE-2023-057

Published

2023-12-12 08:00 (CET)

Last update

2023-12-11 15:39 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
Automation Worx Software Suite all versions
2700988 AXC 1050 all versions
2701295 AXC 1050 XC all versions
2700989 AXC 3050 all versions
Config+ all versions
2730844 FC 350 PCI ETH all versions
ILC1x0 all versions
ILC1x1 all versions
ILC 3xx all versions
PC Worx all versions
PC Worx Express all versions
2700291 PC WORX RT BASIC all versions
2701680 PC WORX SRT all versions
2730190 RFC 430 ETH-IB all versions
2730200 RFC 450 ETH-IB all versions
2700784 RFC 460R PN 3TX all versions
2916794 RFC 470S PN 3TX all versions
2404577 RFC 480S PN 4TX all versions

Summary

Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don’t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).

A CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.


Last Update:

Aug. 30, 2024, 9:27 a.m.

Weakness

Download of Code Without Integrity Check  (CWE-494) 

Summary

Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT classic line PLCs allows an unauthenticated remote attacker to modify some or all applications on a PLC.


Impact

The identified vulnerabilities allow to download and execute applications to the classic line industrial controllers without integrity checks.

Potential tampered application might not be discovered.

Solution

Temporary Fix / Mitigation

Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.

This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.

It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.

Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.

For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security

If a classic line controller can’t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.
A summary of measures to protect devices based on classic control technology is provided here: Measures to protect devices based on classic control technology

Reported by

This vulnerability was reported by Reid Wightman at Dragos, Inc.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.