Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2014
Phoenix Contact vulnerabilites
5 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Phoenix Contact products
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10998 CVE-2019-10997 CVE-2019-9744
CVE-2018-7559
Original Bulletin:
https://ics-cert.us-cert.gov/advisories/ICSA-19-155-01
https://ics-cert.us-cert.gov/advisories/ICSA-19-155-02
Comment: This bulletin contains two (2) ICS CERT security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSA-19-155-01)
PHOENIX CONTACT PLCNext AXC F 2152
Original release date: June 04, 2019
Legal Notice
All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.6
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Phoenix Contact
o Equipment: PLCNext AXC F 2152
o Vulnerabilities: Key Management Errors, Improper Access Control,
Man-in-the-Middle, Using Component with Known Vulnerabilities
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
decrypt passwords, bypass authentication, and deny service to the device. In
addition, these vulnerabilities could interact with third-party vulnerabilities
to cause other impacts to integrity, confidentiality, and availability.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Phoenix Contact reports these vulnerabilities affect firmware Version 1.x for
the following PLCNext AXC F 2152 products:
o AXC F 2152: article number 2404267
o AXC F 2152: article number 1046568 (Starterkit)
3.2 VULNERABILITY OVERVIEW
3.2.1 KEY MANAGEMENT ERRORS CWE-320
A remote attacker can exploit a server's private key by sending carefully
constructed UserIdentityTokens encrypted with the Basic128Rsa15 security
policy. This could allow an attacker to decrypt passwords even if encrypted
with another security policy such as Basic256Sha256.
CVE-2018-7559 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:U/
C:H/I:H/A:L ).
3.2.2 IMPROPER ACCESS CONTROL CWE-284
An attacker with physical access to the device can manipulate SD card data,
which could allow an attacker to bypass the authentication of the device. This
device is designed for use in a protected industrial environment with
restricted physical access.
CVE-2019-10998 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.3 CHANNEL ACCESSIBLE BY NON-ENDPOINT ('MAN-IN-THE-MIDDLE') CWE-300
An attacker trying to connect to the device using a man-in-the-middle setup may
crash the PLC service, resulting in a denial of service condition. The device
must then be rebooted, or the PLC service must be restarted manually via Linux
shell.
CVE-2019-10997 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.4 USING COMPONENTS WITH KNOWN VULNERABILITIES
This product uses older versions of several open-source software components
containing vulnerabilities that may affect availability, integrity, or
confidentiality of the AXC F 2152. See the full list of CVE identifiers in CERT
VDE advisory number VDE-2019-009 .
Please see link in the Mitigations section for additional details.
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Zahra Khani of Firmalyzer reported some of these vulnerabilities to NCCIC. The
OPC Foundation reported some of these vulnerabilities to Phoenix Contact.
4. MITIGATIONS
Phoenix Contact recommends affected users update to firmware release 2019.0 LTS
or later, update to PLCNext Engineer release 2019.0 LTS or later, and apply the
following specific mitigations below:
o Disable Basic128Rsa15 security policy in OPC Servers configuration. Use
only Basic256 or higher.
o Follow the advice concerning SD card usage in the manual "Art.-Nr. 107708:
UM EN AXC F 2152 Installing, starting up, and operating the AXC F 2152
controller um_en_axc_f_2152_107708_en_02.pdf" that can be found on the
product page below:
o https://www.phoenixcontact.com/online/portal/us/uri=pxc-oc-itemdetail:pid=
2404267&library=usen&pcck=P-21-14-01&tab=1&selectedCategory=ALL
o Use the notification manager to monitor SD card exchanges by the
application program.
o Subscribe to PSIRT news as updates on the SD card vulnerability will be
provided in the future.
Phoenix Contact also recommends users operate the devices in closed networks or
environments protected with a suitable firewall. For detailed information on
recommendations for measures to protect network-capable devices, please refer
to the Phoenix Contact application note "Art.-Nr. 107913: AH EN INDUSTRIAL
SECURITY - Measures to protect network-capable devices with Ethernet connection
against unauthorized access," which can be found at the following link:
https://www.phoenixcontact.com/assets/downloads_ed/local_pc/
web_dwl_technical_info/ah_en_industrial_security_107913_en_01.pdf
For more information, CERT@VDE has released a security advisory available at
the following link:
https://cert.vde.com/en-us/advisories/vde-2019-009
NCCIC recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Ensure the product is in a physically secure area.
o When remote access is required, use secure methods, such as virtual private
networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.
NCCIC also recommends that users take the following measures to protect
themselves from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target these vulnerabilities.
- ----------------------------------------------------------------------------
Advisory (ICSA-19-155-02)
PHOENIX CONTACT FL NAT SMx
Original release date: June 04, 2019
Legal Notice
All information products included in http://ics-cert.us-cert.gov are
provided"as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.8
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Phoenix Contact
o Equipment: FL NAT SMx
o Vulnerability: Improper Access Control
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthorized users
full access to the device configuration.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Phoenix Contact reports the vulnerability affects the following FL NAT SMx
industrial Ethernet switches:
o FL NAT SMN 8TX-M (2702443)
o FL NAT SMN 8TX-M-DMG (2989352)
o FL NAT SMN 8TX (2989365)
o FL NAT SMCS 8TX (2989378)
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER ACCESS CONTROL CWE-284
An unauthorized user can access the web interface using an authorized IP
address, which may allow full access to the device configuration. This attack
is only possible if an authorized session is still active on the system.
CVE-2019-9744 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing,
Information Technology
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
CERT@VDE, working with Maxim Rupp and Phoenix Contact, reported this
vulnerability to NCCIC.
4. MITIGATIONS
Phoenix Contact recommends affected users operate the devices in closed
networks or protected with a suitable firewall.
Phoenix Contact recommends that users consider the following steps to protect
the device from an attacker who has gained access to the closed network, or if
there is a possibility that multiple users might share a VPN connection with a
single endpoint IP:
o Log off from the WEB-UI immediately after administration.
o Disable the WEB-UI and use configuration access via SNMP instead.
Ensure the system password is strong as this is also the SNMP write
community.
Additional recommendations can be found within the following application note:
https://www.phoenixcontact.com/assets/downloads_ed/local_pc/
web_dwl_technical_info/ah_en_industrial_security_107913_en_01.pdf
Please see VDE-2019-006 at the following location for more details:
https://cert.vde.com/en-us/advisories/vde-2019-006
NCCIC notes that the SNMP mitigation strategy introduces new risk into the
system because of known vulnerabilities within SNMP v2c. NCCIC recommends those
using the SNMP mitigation strategy implement the following best practices:
o Apply extended access control lists (ACLs) to block unauthorized computers
from accessing the device. Access to devices with read and/or write SNMP
permission should be strictly controlled. If monitoring and change
management are done through separate software, then they should be on
separate devices.
o Segregate SNMP traffic onto a separate management network. Management
network traffic should be out-of-band; however, if device management must
coincide with standard network activity, all communication occurring over
that network should use some encryption capability. If the network device
has a dedicated management port, it should be the sole link for services
like SNMP, Secure Shell (SSH), etc.
o For additional SNMP security recommendations see the following US-CERT
Alert:
https://www.us-cert.gov/ncas/alerts/TA17-156A
NCCIC recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o When remote access is required, use secure methods, such as virtual private
networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.
NCCIC also recommends that users take the following measures to protect
themselves from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target this vulnerability.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXPcrvGaOgq3Tt24GAQh1TxAAqOGLem1FzmmwmPPf+nYy3deEL9GlsrB/
gr/u7lwUBYTCTDx7+WcIXNhT0lnaNh11Xwlg6c2MwTJzuja6bLKnNyL3DmTpuMc1
1LQ6Y3tUUxFkeibRe0p6/1peoUIB0nNQfW8uS0FfCW0/0f/nKeucIX/4AZEfM5y6
JnTHEbuDX3Sni+5aMZDWgVkam2uUo4CrsE8CDMzOLUBNPe3/u+d4kSm28YZ0O7lQ
Agtn6a7lov7BFIek0KtHARzYKl2ZSCPD+WPJPwym/MLqlc9D9CYhBUU+Auvp5yCq
jCrM+OoR6xEoQG01YlXXv+jDqdPy1h85My51plP5hqJHylfl47T2QpW8+gQ/GKGW
ubCqdTaYcEY5k0kFF0Gzrx2Uz3VGNCVaXVYP/JnDqGLwDzjIzCeXq9HB8ehg0jL3
uKiM4QBIWplCD+/KPvQzTF/VtWaLCGVY7VoFEzzkqKRNXCmEjU65wUHv5rap69zX
lUoUljy85VIlj1Ji94DYfbqIfNWTU3pPXnoU20jgjmTpZcuxQdrwwQbb/HKydh1a
HNYGEj5Phgbk9nIMHyffDHHL8JUNz5I8xQQbcD6zE/ccU2uHLTlAWl3YtGS7DvXU
1OpCq8sBIyJJaThybLtBlfPizsIfeoRF9oC5i8GmtakCeERpQk4v/RSVkDsd0i7I
T6g28k5eAvQ=
=t+MK
-----END PGP SIGNATURE-----