VDE-2023-057
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-12-12 07:00 - Updated: 2025-06-05 13:28Summary
Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC
Notes
Summary: Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don't feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).
A CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.
Impact: The identified vulnerabilities allow to download and execute applications to the classic line industrial controllers without integrity checks.
Potential tampered application might not be discovered.
Mitigation: Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.
This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.
It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.
Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.
For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security external link
If a classic line controller can't be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.
A summary of measures to protect devices based on classic control technology is provided here: Measures to protect devices based on classic control technology
Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT classic line PLCs allows an unauthenticated remote attacker to modify some or all applications on a PLC.
7.5 (High)
Mitigation
Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.
This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.
It applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.
Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.
For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security external link
If a classic line controller can't be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.
A summary of measures to protect devices based on classic control technology is provided here: Measures to protect devices based on classic control technology
References
Acknowledgments
CERT@VDE
certvde.com
Dragos, Inc.
Reid Wightman
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Reid Wightman"
],
"organization": "Dragos, Inc."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Phoenix Contact classic line industrial controllers are developed and designed for the use in closed industrial networks. The controllers don\u0027t feature a function to check integrity and authenticity of the application (e.g.: logic files, executable logic, configurations).\nA CRC Check warning the user if the application of the Engineering tool and the PLC differs can be manipulated.",
"title": "Summary"
},
{
"category": "description",
"text": "The identified vulnerabilities allow to download and execute applications to the classic line industrial controllers without integrity checks.\nPotential tampered application might not be discovered.",
"title": "Impact"
},
{
"category": "description",
"text": "Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.\n\nThis concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.\n\nIt applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.\n\nProject data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.\n\nFor general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security external link\n\nIf a classic line controller can\u0027t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.\nA summary of measures to protect devices based on classic control technology is provided here: Measures to protect devices based on classic control technology",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-057: Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-057/"
},
{
"category": "self",
"summary": "VDE-2023-057: Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-057.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
}
],
"title": "Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC",
"tracking": {
"aliases": [
"VDE-2023-057"
],
"current_release_date": "2025-06-05T13:28:12.000Z",
"generator": {
"date": "2025-05-08T11:15:16.169Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.25"
}
},
"id": "VDE-2023-057",
"initial_release_date": "2023-12-12T07:00:00.000Z",
"revision_history": [
{
"date": "2023-12-12T07:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-06-05T13:28:12.000Z",
"number": "2",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Automation Worx Software Suite",
"product": {
"name": "Automation Worx Software Suite",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "AXC 1050",
"product": {
"name": "AXC 1050",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"2700988"
]
}
}
},
{
"category": "product_name",
"name": "AXC 1050 XC",
"product": {
"name": "AXC 1050 XC",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"2701295"
]
}
}
},
{
"category": "product_name",
"name": "AXC 3050",
"product": {
"name": "AXC 3050",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"2700989"
]
}
}
},
{
"category": "product_name",
"name": "Config+",
"product": {
"name": "Config+",
"product_id": "CSAFPID-11005"
}
},
{
"category": "product_name",
"name": "FC 350 PCI ETH",
"product": {
"name": "FC 350 PCI ETH",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"2730844"
]
}
}
},
{
"category": "product_name",
"name": "ILC1x0",
"product": {
"name": "ILC1x0",
"product_id": "CSAFPID-11007"
}
},
{
"category": "product_name",
"name": "ILC1x1",
"product": {
"name": "ILC1x1",
"product_id": "CSAFPID-11008"
}
},
{
"category": "product_name",
"name": "ILC 3xx",
"product": {
"name": "ILC 3xx",
"product_id": "CSAFPID-11009"
}
},
{
"category": "product_name",
"name": "PC Worx",
"product": {
"name": "PC Worx",
"product_id": "CSAFPID-11010"
}
},
{
"category": "product_name",
"name": "PC Worx Express",
"product": {
"name": "PC Worx Express",
"product_id": "CSAFPID-11011"
}
},
{
"category": "product_name",
"name": "PC WORX RT BASIC",
"product": {
"name": "PC WORX RT BASIC",
"product_id": "CSAFPID-11012",
"product_identification_helper": {
"model_numbers": [
"2700291"
]
}
}
},
{
"category": "product_name",
"name": "PC WORX SRT",
"product": {
"name": "PC WORX SRT",
"product_id": "CSAFPID-11013",
"product_identification_helper": {
"model_numbers": [
"2701680"
]
}
}
},
{
"category": "product_name",
"name": "RFC 430 ETH-IB",
"product": {
"name": "RFC 430 ETH-IB",
"product_id": "CSAFPID-11014",
"product_identification_helper": {
"model_numbers": [
"2730190"
]
}
}
},
{
"category": "product_name",
"name": "RFC 450 ETH-IB",
"product": {
"name": "RFC 450 ETH-IB",
"product_id": "CSAFPID-11015",
"product_identification_helper": {
"model_numbers": [
"2730200"
]
}
}
},
{
"category": "product_name",
"name": "RFC 460R PN 3TX",
"product": {
"name": "RFC 460R PN 3TX",
"product_id": "CSAFPID-11016",
"product_identification_helper": {
"model_numbers": [
"2700784"
]
}
}
},
{
"category": "product_name",
"name": "RFC 470S PN 3TX",
"product": {
"name": "RFC 470S PN 3TX",
"product_id": "CSAFPID-11017",
"product_identification_helper": {
"model_numbers": [
"2916794"
]
}
}
},
{
"category": "product_name",
"name": "RFC 480S PN 4TX",
"product": {
"name": "RFC 480S PN 4TX",
"product_id": "CSAFPID-11018",
"product_identification_helper": {
"model_numbers": [
"2404577"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware vers:all/*",
"product_id": "CSAFPID-21001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Phoenix Contact"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018"
],
"summary": "Affected products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on Automation Worx Software Suite",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on AXC 1050",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on AXC 1050 XC",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on AXC 3050",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on Config+",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on FC 350 PCI ETH",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on ILC1x0",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on ILC1x1",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on ILC 3xx",
"product_id": "CSAFPID-31009"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on PC Worx",
"product_id": "CSAFPID-31010"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11010"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on PC Worx Express",
"product_id": "CSAFPID-31011"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on PC WORX RT BASIC",
"product_id": "CSAFPID-31012"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on PC WORX SRT",
"product_id": "CSAFPID-31013"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11013"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on RFC 430 ETH-IB",
"product_id": "CSAFPID-31014"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11014"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on RFC 450 ETH-IB",
"product_id": "CSAFPID-31015"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11015"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on RFC 460R PN 3TX",
"product_id": "CSAFPID-31016"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11016"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on RFC 470S PN 3TX",
"product_id": "CSAFPID-31017"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11017"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware vers:all/* installed on RFC 480S PN 4TX",
"product_id": "CSAFPID-31018"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11018"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-46143",
"cwe": {
"id": "CWE-494",
"name": "Download of Code Without Integrity Check"
},
"notes": [
{
"category": "description",
"text": "Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT classic line PLCs allows an unauthenticated remote attacker to modify some or all applications on a PLC.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact classic line controllers are developed and designed for use in closed industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.\n\nThis concept is supported by organizational measures in the production facility as part of a security management system. To achieve security here, measures are required at all levels. It must be ensured that logic is always transferred or stored in protected environments.\n\nIt applies to both data in transmission and data at rest. Connections between the engineering tools (Automation Worx Software Suite) and the controller must always be in a locally protected environment or, in the case of remote access, protected by VPN.\n\nProject data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. Customers using Phoenix Contact classic line controllers are recommended to operate the devices as intended in closed networks or protected with a suitable firewall.\n\nFor general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security external link\n\nIf a classic line controller can\u0027t be used in protected zones, the OT communication protocols should be disabled. Depending on the controller type, this can be done either via CPU services via console or web-based management. Information on which controllers and from which firmware version onwards communication protocols can be deactivated is described in the application note for classic line controllers or in the manual for the respective controller, which is available for download on the Phoenix Contact website.\nA summary of measures to protect devices based on classic control technology is provided here: Measures to protect devices based on classic control technology",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018"
]
}
],
"title": "CVE-2023-46143"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…