VDE-2023-051

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-12-12 07:00 - Updated: 2025-05-22 13:03
Summary
Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732
Notes
Summary: Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR. ProConOS/ProConOS eCLR controller runtime system has been offered as a Software Development Kit (SDK) to automation suppliers that build their own automation devices.  ProConOS/ProConOS eCLR is embedded into automation suppliers' hardware, real-time operating systems (RTOS), firmware, and I/O systems.The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products. Logic files generated by MULTIPROG Engineering tool could be manipulated on the engineering station and loaded into the PLC without tamper detection. In addition, tampering can be done by specially designed attacks in such a way that it remains hidden, and the logic program modifies its own code, making it difficult to determine the impact of a malicious program. Users need to check with their device vendors if they are affected by this attack vulnerability or if the specific device integration mitigates this attack vector.
Impact: The identified vulnerabilities allow attackers to generate applications or upload them with arbitrary malicious code once they have access to the engineering station or communication to devices using ProConOS eCLR. This vulnerability affects all versions of ProConOS eCLR and MULTIPROG from Phoenix Contact (formerly KW-Software).
Mitigation: Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks. Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products. Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device. Users should ensure that logic is always transmitted or stored in protected environments. This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.Project data should only be stored in protected environments. For general information and recommendations on security measures to protect network-enableddevices, refer to the application note: Application Note Security
CVE-2023-0757

Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-732 - Incorrect Permission Assignment for Critical Resource
Mitigation Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed industrial networks with a defense-in-depth approach focusing on network segmentation. In such an approach, the production facility is protected from attacks, especially from the outside, by a multi-level perimeter including firewalls as well as the division of the facility into OT zones using firewalls. This concept is supported by organizational measures in the production plant as part of a security management system. To achieve security here, measures are required at all levels. Engineering stations using MULTIPROG must also be part of closed industrial networks. Manufacturers who use ProConOS eCLR runtime in their automation devices are recommended to review their implementation and, if necessary, publish corresponding advisories for their products. Users of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime in their automation systems must check whether their application requires additional security measures. These include, for example, adequate defense-in-depth network architecture, the use of virtual private networks (VPNs) for remote access, and the use of firewalls for network segmentation or controller isolation. Users should review their manufacturer's security advisories for more appropriate information about their specific device. Users should ensure that logic is always transmitted or stored in protected environments. This applies both to data in transmission and to data at rest. Connections between engineering tools and the controller must always be protected in a locally protected environment or via VPN for remote access. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks.Project data should only be stored in protected environments. For general information and recommendations on security measures to protect network-enableddevices, refer to the application note: Application Note Security
References
Acknowledgments
CERT@VDE certvde.com
Dragos, Inc. Reid Wightman
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Reid Wightman"
        ],
        "organization": "Dragos, Inc.",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Increased Security attacks against OT infrastructure and research of Dragos makes it necessary to publish this advisory giving users hints according to basic security measures to support automation systems using existing devices based on ProConOS/ProConOS eCLR.\n\nProConOS/ProConOS eCLR controller runtime system has been offered as a Software\u00a0Development Kit (SDK) to automation suppliers that build their own automation devices.\u00a0\n\nProConOS/ProConOS eCLR is embedded into automation suppliers\u0027 hardware, real-time\u00a0operating systems (RTOS), firmware, and I/O systems.The application (e.g.: logic files, executable logic, configurations) had been designed without integrity and authenticity check which was state of the art when developing the products.\n\nLogic files generated by MULTIPROG Engineering tool could be manipulated on the engineering\u00a0station and loaded into the PLC without tamper detection. In addition, tampering can be done by\u00a0specially designed attacks in such a way that it remains hidden, and the logic program modifies\u00a0its own code, making it difficult to determine the impact of a malicious program.\nUsers need to check with their device vendors if they are affected by this attack vulnerability\u00a0or if the specific device integration mitigates this attack vector.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The identified vulnerabilities allow attackers to generate applications or upload them with\u00a0arbitrary malicious code once they have access to the engineering station or communication to\u00a0devices using ProConOS eCLR.\nThis vulnerability affects all versions of ProConOS eCLR and\u00a0MULTIPROG from Phoenix Contact (formerly KW-Software).",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed\u00a0industrial networks with a defense-in-depth approach focusing on network segmentation. \n\nIn such\u00a0an approach, the production facility is protected from attacks, especially from the outside, by a\u00a0multi-level perimeter including firewalls as well as the division of the facility into OT zones using\u00a0firewalls. This concept is supported by organizational measures in the production plant as part of\u00a0a security management system. \nTo achieve security here, measures are required at all levels.\u00a0Engineering stations using MULTIPROG must also be part of closed industrial networks.\nManufacturers who use ProConOS eCLR runtime in their automation devices are recommended\u00a0to review their implementation and, if necessary, publish corresponding advisories for their\u00a0products.\nUsers of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime\u00a0in their automation systems must check whether their application requires additional security\u00a0measures. \n\nThese include, for example, adequate defense-in-depth network architecture, the use\u00a0of virtual private networks (VPNs) for remote access, and the use of firewalls for network\u00a0segmentation or controller isolation. Users should review their manufacturer\u0027s security advisories\u00a0for more appropriate information about their specific device.\n\nUsers should ensure that logic is always transmitted or stored in protected environments.\u00a0This applies both to data in transmission and to data at rest. Connections between engineering\u00a0tools and the controller must always be protected in a locally protected environment or via VPN\u00a0for remote access. \n\nProject data should not be sent as a file via email or other transmission\u00a0mechanisms without additional integrity and authenticity checks.Project data should only be stored in protected environments.\nFor general information and recommendations on security measures to protect network-enableddevices, refer to the application note: Application Note Security",
        "title": "Mitigation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2023-051: Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732 - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2023-051/"
      },
      {
        "category": "self",
        "summary": "VDE-2023-051: Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732 - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-051.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      }
    ],
    "title": "Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732",
    "tracking": {
      "aliases": [
        "VDE-2023-051"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-04-14T07:49:29.389Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.23"
        }
      },
      "id": "VDE-2023-051",
      "initial_release_date": "2023-12-12T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-12-12T07:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "MULTIPROG vers:all/*",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "MULTIPROG"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "ProConOS eCLR (SDK) vers:all/*",
                      "product_id": "CSAFPID-51002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "ProConOS eCLR (SDK)"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "summary": "Affected products."
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-0757",
      "cwe": {
        "id": "CWE-732",
        "name": "Incorrect Permission Assignment for Critical Resource"
      },
      "notes": [
        {
          "category": "description",
          "text": "Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Industrial controllers based on ProConOS eCLR runtime are typically designed for use in closed\u00a0industrial networks with a defense-in-depth approach focusing on network segmentation. \n\nIn such\u00a0an approach, the production facility is protected from attacks, especially from the outside, by a\u00a0multi-level perimeter including firewalls as well as the division of the facility into OT zones using\u00a0firewalls. This concept is supported by organizational measures in the production plant as part of\u00a0a security management system. \nTo achieve security here, measures are required at all levels.\u00a0Engineering stations using MULTIPROG must also be part of closed industrial networks.\nManufacturers who use ProConOS eCLR runtime in their automation devices are recommended\u00a0to review their implementation and, if necessary, publish corresponding advisories for their\u00a0products.\nUsers of automation devices that use MULTIPROG Engineering and ProConOS eCLR runtime\u00a0in their automation systems must check whether their application requires additional security\u00a0measures. \n\nThese include, for example, adequate defense-in-depth network architecture, the use\u00a0of virtual private networks (VPNs) for remote access, and the use of firewalls for network\u00a0segmentation or controller isolation. Users should review their manufacturer\u0027s security advisories\u00a0for more appropriate information about their specific device.\n\nUsers should ensure that logic is always transmitted or stored in protected environments.\u00a0This applies both to data in transmission and to data at rest. Connections between engineering\u00a0tools and the controller must always be protected in a locally protected environment or via VPN\u00a0for remote access. \n\nProject data should not be sent as a file via email or other transmission\u00a0mechanisms without additional integrity and authenticity checks.Project data should only be stored in protected environments.\nFor general information and recommendations on security measures to protect network-enableddevices, refer to the application note: Application Note Security",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2023-0757"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.