ONEKEY Phoenix Contact Advisory Blog Banner

Security Advisory: Multiple Vulnerabilities in Phoenix Contact Routers

Introduction

This is the fourth security advisory we release that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products.

Phoenix Contact is a manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system.

These vulnerabilities were automatically identified by our platform during one of those industrial routers’ firmware scan:

All our findings were validated using an emulated device and reported to Phoenix Contact, whose PSIRT team confirmed our findings. 

Affected vendor & product
  • CLOUD CLIENT 2002T-4G EU
  • CLOUD CLIENT 2002T-WLAN
  • CLOUD CLIENT 2102T-4G EU WLAN
  • TC ROUTER 4002T-4G EU
  • TC ROUTER 4102T-4G EU WLAN
  • TC ROUTER 4202T-4G EU WLAN
Vendor Advisory

Security Advisory for Phoenix Contact TC ROUTER and CLOUD CLIENT

https://cert.vde.com/de/advisories/VDE-2022-053/

Vulnerable version

< 4.5.7x.107

Fixed version

4.5.7x.107

CVE IDs

CVE-2023-0861

CVE-2023-0862

Impact (CVSS) 8.8 (high) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit Q. Kaiser, ONEKEY Research Lab
Research supported by Certainity

 

Authenticated Command Injection

Summary

The web administration interface executes an OS command constructed with unsanitized user input.

Impact

A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges.

Description

The web admin interface is written in PHP and has a page allowing for GNSS receiver configuration at /home/www-data/admin/gnssAutoAlign.php.

On line 36, the script calls exec with an unsanitized $device_id variable obtained from the POST request on line 6:

<?php
require_once('config/config.php');
if (isset($c))
    $device_id = $c;
else
    $device_id = $_REQUEST['device_id'];

$status = "disabled";
define("STATUS_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align");
define("ANGLES_FILENAME", "/tmp/status/gnss". $device_id ."/dr-auto-align-angles");
define("PID_FILENAME", "/run/gnss". $device_id ."/dr-auto-align.pid");

if (file_exists(STATUS_FILENAME)) {
    $statusfile = fopen(STATUS_FILENAME, "r");
    $status = fread($statusfile, filesize(STATUS_FILENAME));
    fclose($statusfile);
}

$yaw = "n/a";
$pitch = "n/a";
$roll = "n/a";
if (file_exists(ANGLES_FILENAME)) {
    $anglesfile = fopen(ANGLES_FILENAME, "r");
    $angles = fread($anglesfile, filesize(ANGLES_FILENAME));
    fclose($anglesfile);

    $angles = explode("\n", $angles);
    $yaw = explode("yaw: ", $angles[0])[1];
    $pitch = explode("pitch: ", $angles[1])[1];
    $roll = explode("roll: ", $angles[2])[1];

}

if (isset($_POST['toggleAlignment'])) {
    if ($status == "disabled") {
        exec("/usr/local/sbin/www-scripts/various/doAutoAlignment " . $device_id . " > /dev/null &");
        $status = "starting";
    }
    else {
        exec("kill $(cat ". PID_FILENAME . ")");
        $status = "stopping";
    }
}

Authenticated Path Traversal

Summary

The web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion.

Impact

By uploading a malicious PHP file within the web administration root directory, an authenticated user could gain unconstrained remote command execution.

Description

The web admin interface is written in PHP and has a page to handle what they call “SDK jobs” at /home/www-data/admin/include/sdkJobs.php. This script calls move_uploaded_file on line 320 with unsanitized user input:

if (!move_uploaded_file($_FILES["scriptUpload"]["tmp_name"], $uploadpath))

The unsanitized user input is constructed this way:

$name = trim($_POST['scriptName']);
$uploadpath = UPLOAD_DIR . "/" . $name;

Key Takeaways

This advisory serves as another example of a high-risk vulnerability gone by unnoticed by the vendor, which may end up in mission-critical environments. With increasing obligations also for operators of essential or important entities to practice third-party due diligence, automated security analysis are an effective measure to fulfill these requirements and to avoid deploying vulnerable devices in the field.

Timeline

2022-10-21 – Sent coordinated disclosure request to psirt@phoenixcontact.com

2022-10-21Confirmation & discussion with Phoenix Contact to explain the vulnerability.

2022-11-15 – Coordination between Phoenix Contact and ONEKEY on firmware release planning. 

2023-03-07 – Phoenix Contact releases fixed firmware and its security advisory

2023-03-28 – ONEKEY releases its advisory

About ONEKEY

ONEKEY is a leading European specialist in product cybersecurity. The unique combination of an automated security & compliance software analysis platform and consulting services by cybersecurity experts provides fast, comprehensive analysis, and solutions in the area of IoT/OT product cybersecurity. Building upon automatically generated “Digital Twins” and “Software Bill of Materials (SBOM)” of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time, and can thus be remediated in a targeted manner. The easy-to-integrate solution enables manufacturers, distributors, and users of IoT technology to quickly and continuously perform 24/7 security and compliance audits throughout the product lifecycle. Leading international companies in Asia, Europe, and America are already successfully benefiting from the ONEKEY platform and experts.

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de

Share on facebook
Share on twitter
Share on pinterest
Share on linkedin
Share on xing
Share on email