VDE-2024-067 | CERT@VDE

2024-10-08 14:00 (CEST) VDE-2024-067

Phoenix Contact: Multiple Vulnerabilities in PLCnext Engineer

Share: Email | Twitter

ID

VDE-2024-067

Published

2024-10-08 14:00 (CEST)

Last update

2024-10-08 14:00 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	PLCnext Engineer	< 2024.0.4 LTS
	PLCnext Engineer	< 2024.06

Summary

Vulnerabilities in .NET and Visual Studio functions System.Text.Json, System.Formats.Asn1, OPCFoundation.NetStandard.Opc.Ua.Core allow an remote attacker to execute a Denial-of-Servce attack.

CVE ID

CVE-2024-30105

Last Update:

Oct. 7, 2024, 11:10 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Uncontrolled Resource Consumption (CWE 400)

Summary

.NET Core and Visual Studio Denial of Service Vulnerability.
Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30105

Details

nvd.nist.gov

Impact

Availability of an application programming workstation might be compromised by attacks using these vulnerabilities.

Solution

Mitigation

To mitigate the vulnerabilities and to ensure the availability of the PLCnext Engineer please ensure that only data from trusted sources are used.

Remediation

Phoenix Contact recommends affected users to update to the current PLCnext Engineer 2024.0.4 LTS or 2024.6 which fixes the vulnerabilities.

Reported by

CERT@VDE coordinated with Phoenix Contact