Share: Email | Twitter

ID

VDE-2024-071

Published

2024-12-09 12:00 (CET)

Last update

2024-12-09 09:26 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
AXC F 1152 < 2024.0.6 LTS
AXC F 2152 < 2024.0.6 LTS
AXC F 3152 < 2024.0.6 LTS
BPC 9102S < 2024.0.6 LTS
EPC 1502 < 2024.0.6 LTS
EPC 1522 < 2024.0.6 LTS
RFC 4072R < 2024.0.6 LTS
RFC 4072S < 2024.0.6 LTS

Summary

Multiple Linux component vulnerabilities fixed in latest PLCnext Firmware release 2024.0.6 LTS

Vulnerabilities



Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Improper Link Resolution Before File Access ('Link Following') (CWE-59)
Summary

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Last Update
Aug. 30, 2024, 9:21 a.m.
Weakness
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Summary

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Last Update
Dec. 2, 2024, 9:55 a.m.
Weakness
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Summary

OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.

Last Update
Dec. 2, 2024, 5:21 p.m.
Weakness
Improperly Controlled Sequential Memory Allocation (CWE-1325)
Summary

Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Last Update
Dec. 2, 2024, 10:23 a.m.
Weakness
Use After Free (CWE-416)
Summary

A use-after-free vulnerability was found in OpenSSL. Calling the OpenSSL API SSL_free_buffers function may cause memory to be accessed that was previously freed in some situations.

Last Update
Dec. 2, 2024, 9:56 a.m.
Weakness
Unchecked Input for Loop Condition (CWE-606)
Summary

Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Impact

Availability, integrity, or confidentiality of the PLCnext Control might be compromised by attacks using these vulnerabilities.

Solution

General Recommendation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note.

Remediation

Update to the latest 2024.0.6 LTS Firmware Release. PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer. Check download area for latest Firmware update to be installed on EPC 1502 or EPC 1522.

Reported by

CERT@VDE coordinated with Phoenix Contact GmbH & Co. KG