VDE-2023-056
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-12-12 07:00 - Updated: 2025-05-22 13:03Summary
Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource
Notes
Summary: PLCnext Control provides authentication and integrity check for the application.An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.
To successfully exploit this vulnerability, the attacker must have access to the application either with PLCnext Engineer on the Engineering station, the stored application, the application during download or the application storage on the PLC.
Impact: The identified vulnerabilities allow malicious code to PLCnext Control once they have access to the engineering station running PLCnext Engineer or can communicate with the controllers.Attackers must have authenticated network or physical access to the engineering station or controller to exploit this vulnerability.
Mitigation: PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.
This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.
This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.
Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.
For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security
PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.
For more information's refer to the PLCnext Info Centers.
Concepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description Generic security concept.
Remediation: PLCnext Control security feature set and hardening are continuously improved.
Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information's and firmware regularly.
We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.
A incorrect permission assignment for critical resource vulnerability in PLCnext products allows an remote attacker with low privileges to gain full access on the affected devices.
8.8 (High)
Mitigation
PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.
This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.
This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.
Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.
For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security
PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.
For more information's refer to the PLCnext Info Centers.
Concepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description Generic security concept.
Vendor Fix
PLCnext Control security feature set and hardening are continuously improved.
Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information's and firmware regularly.
We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.
References
Acknowledgments
CERT@VDE
certvde.com
Dragos, Inc.
Reid Wightman
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Reid Wightman"
],
"organization": "Dragos, Inc."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "PLCnext Control provides authentication and integrity check for the application.An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.\nTo successfully exploit this vulnerability, the attacker must have access to the application either with PLCnext Engineer on the Engineering station, the stored application, the application during download or the application storage on the PLC.",
"title": "Summary"
},
{
"category": "description",
"text": "The identified vulnerabilities allow malicious code to PLCnext Control once they have access to the engineering station running PLCnext Engineer or can communicate with the controllers.Attackers must have authenticated network or physical access to the engineering station or controller to exploit this vulnerability.",
"title": "Impact"
},
{
"category": "description",
"text": "PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.\nThis concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.\nThis applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.\nProject data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.\nFor general information and recommendations on security measures to protect network-enabled devices, refer to the application note:\u00a0Application note Security\n\n\n\nPLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.\nFor more information\u0027s refer to the PLCnext Info Centers.\nConcepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description Generic security concept.",
"title": "Mitigation"
},
{
"category": "description",
"text": "PLCnext Control security feature set and hardening are continuously improved.\nPlease check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt\u00a0for updated information\u0027s and firmware regularly.\n\n\n\n\n\nWe recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-056: Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-056/"
},
{
"category": "self",
"summary": "VDE-2023-056: Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-056.json"
},
{
"category": "external",
"summary": "Phoenix Contact PSIRT",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
}
],
"title": "Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource",
"tracking": {
"aliases": [
"VDE-2023-056"
],
"current_release_date": "2025-05-22T13:03:10.000Z",
"generator": {
"date": "2025-05-05T10:00:42.611Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.24"
}
},
"id": "VDE-2023-056",
"initial_release_date": "2023-12-12T07:00:00.000Z",
"revision_history": [
{
"date": "2023-12-12T07:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-22T13:03:10.000Z",
"number": "2",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "AXC F 1152",
"product": {
"name": "AXC F 1152",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"1151412"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 2152",
"product": {
"name": "AXC F 2152",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"2404267"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 3152",
"product": {
"name": "AXC F 3152",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"1069208"
]
}
}
},
{
"category": "product_name",
"name": "BPC 9102S",
"product": {
"name": "BPC 9102S",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"1246285"
]
}
}
},
{
"category": "product_name",
"name": "EPC 1502",
"product": {
"name": "EPC 1502",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"1185416"
]
}
}
},
{
"category": "product_name",
"name": "EPC 1522",
"product": {
"name": "EPC 1522",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"1185423"
]
}
}
},
{
"category": "product_name",
"name": "PLCnext Engineer",
"product": {
"name": "PLCnext Engineer",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"1046008"
]
}
}
},
{
"category": "product_name",
"name": "RFC 4072R",
"product": {
"name": "RFC 4072R",
"product_id": "CSAFPID-11007",
"product_identification_helper": {
"model_numbers": [
"1136419"
]
}
}
},
{
"category": "product_name",
"name": "RFC 4072S",
"product": {
"name": "RFC 4072S",
"product_id": "CSAFPID-11008",
"product_identification_helper": {
"model_numbers": [
"1051328"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2024.0",
"product": {
"name": "Firmware \u003c= 2024.0",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "2023.0.7 LTS",
"product": {
"name": "Firmware 2023.0.7 LTS",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Phoenix Contact"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on AXC F 1152",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on AXC F 2152",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on AXC F 3152",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on BPC 9102S",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on EPC 1502",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on EPC 1522",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on PLCnext Engineer",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-51001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on RFC 4072R",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c= 2024.0 installed on RFC 4072S",
"product_id": "CSAFPID-31009"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on AXC F 1152",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on AXC F 2152",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on AXC F 3152",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on BPC 9102S",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on EPC 1502",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on EPC 1522",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on PLCnext Engineer",
"product_id": "CSAFPID-32007"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-51001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on RFC 4072R",
"product_id": "CSAFPID-32008"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2023.0.7 LTS installed on RFC 4072S",
"product_id": "CSAFPID-32009"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11008"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-46142",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "description",
"text": "A incorrect permission assignment for critical resource vulnerability in PLCnext products allows an remote attacker with low privileges to gain full access on the affected devices.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.\nThis concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.\nThis applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.\nProject data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.\nFor general information and recommendations on security measures to protect network-enabled devices, refer to the application note:\u00a0Application note Security\n\n\n\nPLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management and integrity checks. These features can reduce the attack surface of this vulnerability.\nFor more information\u0027s refer to the PLCnext Info Centers.\nConcepts how to use PLCnext Control to establish protected industrial networks are described in the Security Context description Generic security concept.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "PLCnext Control security feature set and hardening are continuously improved.\nPlease check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt\u00a0for updated information\u0027s and firmware regularly.\n\n\n\n\n\nWe recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009"
]
}
],
"title": "CVE-2023-46142"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…