VDE-2022-026

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2022-06-21 05:16 - Updated: 2025-05-22 13:03
Summary
PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool
Notes
Summary: ProConOS/ProConOS eCLR insufficiently verifies uploaded data.
Impact: The identified vulnerability allows attackers uploading logic with arbitrary malicious code oncehaving access to the communication to products that are utilizing ProConOS/ProConOS eCLR.Attackers must have network or physical controller access to exploit this vulnerability. Thisvulnerability affects all versions of ProConOS/ProConOS eCLR and MULTIPROG from PhoenixContact Software (formerly KW-Software).
Mitigation: Manufacturers using ProConOS/ProConOS eCLR in their automation devices are advised tocheck their implementation and may publish an advisory according to their product. Users of automation devices utilizing ProConOS/ProConOS eCLR in their automation systemsmay check if their application requires additional security measures like an adequate defense–in-depth networking architecture, the use of virtual private networks (VPNs) for remote access,as well as the use of firewalls for network segmentation or controller isolation. Users should check their manufacturers security advisories for more adequate informationaccording to their dedicated device. Users should ensure that the logic is always transferred or stored in protected environments.This is valid for data in transmission as well as data in rest. Connections between theEngineering Tools and the controller must always be in a locally protected environment orprotected by VPN for remote access. Project data shouldn't send as a file via e-mail or othertransfer mechanisms without additional integrity and authenticity checks.Project data should save in protected environments only. Generic information and recommendations for security measures to protect network-capabledevices can be found in the application note.
CVE-2022-31801

An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-345 - Insufficient Verification of Data Authenticity
Mitigation Manufacturers using ProConOS/ProConOS eCLR in their automation devices are advised to check their implementation and may publish an advisory according to their product. Users of automation devices utilizing ProConOS/ProConOS eCLR in their automation systems may check if their application requires additional security measures like an adequate defense– in-depth networking architecture, the use of virtual private networks (VPNs) for remote access, as well as the use of firewalls for network segmentation or controller isolation. Users should check their manufacturers security advisories for more adequate information according to their dedicated device. Users should ensure that the logic is always transferred or stored in protected environments. This is valid for data in transmission as well as data in rest. Connections between the Engineering Tools and the controller must always be in a locally protected environment or protected by VPN for remote access. Project data shouldn't send as a file via e-mail or other transfer mechanisms without additional integrity and authenticity checks. Project data should save in protected environments only. Generic information and recommendations for security measures to protect network-capable devices can be found in the application note.
References
Acknowledgments
CERT@VDE
Forescout
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      },
      {
        "organization": "Forescout",
        "summary": "reporting."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "ProConOS/ProConOS eCLR insufficiently\u00a0verifies uploaded data.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The identified vulnerability allows attackers uploading logic with arbitrary malicious code oncehaving access to the communication to products that are utilizing ProConOS/ProConOS eCLR.Attackers must have network or physical controller access to exploit this vulnerability. Thisvulnerability affects all versions of ProConOS/ProConOS eCLR and MULTIPROG from PhoenixContact Software (formerly KW-Software).",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Manufacturers using ProConOS/ProConOS eCLR in their automation devices are advised tocheck their implementation and may publish an advisory according to their product.\nUsers of automation devices utilizing ProConOS/ProConOS eCLR in their automation systemsmay check if their application requires additional security measures like an adequate defense\u2013in-depth networking architecture, the use of virtual private networks (VPNs) for remote access,as well as the use of firewalls for network segmentation or controller isolation.\nUsers should check their manufacturers security advisories for more adequate informationaccording to their dedicated device.\nUsers should ensure that the logic is always transferred or stored in protected environments.This is valid for data in transmission as well as data in rest. Connections between theEngineering Tools and the controller must always be in a locally protected environment orprotected by VPN for remote access. Project data shouldn\u0027t send as a file via e-mail or othertransfer mechanisms without additional integrity and authenticity checks.Project data should save in protected environments only.\nGeneric information and recommendations for security measures to protect network-capabledevices can be found in the application note.",
        "title": "Mitigation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "PHOENIX CONTACT PSIRT ",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for PHOENIX CONTACT",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-026: PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-026/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-026: PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-026.json"
      }
    ],
    "title": "PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool",
    "tracking": {
      "aliases": [
        "VDE-2022-026"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-04-09T07:58:21.647Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.22"
        }
      },
      "id": "VDE-2022-026",
      "initial_release_date": "2022-06-21T05:16:00.000Z",
      "revision_history": [
        {
          "date": "2022-06-21T05:16:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: added distribution, quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "MULTIPROG vers:all/*",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "MULTIPROG"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "ProConOS vers:all/*",
                      "product_id": "CSAFPID-51002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "ProConOS"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "ProConOS eCLR vers:all/*",
                      "product_id": "CSAFPID-51003"
                    }
                  }
                ],
                "category": "product_name",
                "name": "ProConOS eCLR"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002",
          "CSAFPID-51003"
        ],
        "summary": "Affected Products"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-31801",
      "cwe": {
        "id": "CWE-345",
        "name": "Insufficient Verification of Data Authenticity"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002",
          "CSAFPID-51003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Manufacturers using ProConOS/ProConOS eCLR in their automation devices are advised to\ncheck their implementation and may publish an advisory according to their product.\n\nUsers of automation devices utilizing ProConOS/ProConOS eCLR in their automation systems\nmay check if their application requires additional security measures like an adequate defense\u2013\nin-depth networking architecture, the use of virtual private networks (VPNs) for remote access,\nas well as the use of firewalls for network segmentation or controller isolation.\n\nUsers should check their manufacturers security advisories for more adequate information\naccording to their dedicated device.\n\nUsers should ensure that the logic is always transferred or stored in protected environments.\nThis is valid for data in transmission as well as data in rest. Connections between the\nEngineering Tools and the controller must always be in a locally protected environment or\nprotected by VPN for remote access. Project data shouldn\u0027t send as a file via e-mail or other\ntransfer mechanisms without additional integrity and authenticity checks.\nProject data should save in protected environments only.\n\nGeneric information and recommendations for security measures to protect network-capable\ndevices can be found in the application note.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002",
            "CSAFPID-51003"
          ]
        }
      ],
      "title": "CVE-2022-31801"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.