| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| CHARX SEC-3000 | < 1.6.3 | |
| CHARX SEC-3050 | < 1.6.3 | |
| CHARX SEC-3100 | < 1.6.3 | |
| CHARX SEC-3150 | < 1.6.3 |
Start sequence for firewall service allows attack during the boot process. Password is reset to default when the device undergoes a firmware upgrade.
A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user “user-app” to the default password.
An unauthenticated remote attacker can use this vulnerability to change the device configuration due to a file writeable for short time after system startup.
These vulnerabilities may allow an attacker within the network to change the device configuration through an unauthenticated internal service before the firewall is started during boot process. The second vulnerability may allow an local attacker to use the firmware update feature to reset the user-app accounts password to the dafault value that is documented in the product documentation. The user "user-app" has limited access rights.
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.
Remediation
Phoenix Contact strongly recommends upgrading affected charge controllers to firmware version 1.6.3 or higher which fixes these vulnerabilities.
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
CERT@VDE coordinated with Phoenix Contact