VDE-2023-058

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-12-12 07:00 - Updated: 2025-05-22 13:03
Summary
Phoenix Contact: PLCnext Control prone to download of code without integrity check
Notes
Summary: PLCnext Control provides authentication and integrity check for the application.An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove. PLCnext Engineer warns users if the PLC logic is different from the current loaded project when Online mode is activated. In addition, during loading an application on the PLC, a Project Integrity Warning logging entry is generated.A skilled attacker might be able to manipulate the application in a special crafted way that the integrity check will not be able to recognize tampering attempts.
Impact: The identified vulnerabilities allow to download and execute manipulated applications on PLCnext Control. Potential tampered applications might not be discovered.
Mitigation: PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls. This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments. This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application note Security PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management, and integrity checks. These features can reduce the attack surface of this vulnerability. For more information's refer to the PLCnext Info Centers. PLCnext Control provides project data integrity checks, information's about the default configuration are provided in the topic Checking project data integrity.
Remediation: PLCnext Control security feature set and hardening are continuously improved. Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information's and firmware regularly. We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.
CVE-2023-46144

A download of code without integrity check vulnerability in PLCnext products allows an remote attacker with low privileges to compromise integrity on the affected engineering station and the connected devices.

7.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CWE-494 - Download of Code Without Integrity Check
Mitigation PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls. This concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments. This applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN. Project data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments. For general information and recommendations on security measures to protect network-enabled devices, refer to the application note:Application note Security PLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management, and integrity checks. These features can reduce the attack surface of this vulnerability. For more information's refer to the PLCnext Info Centers. PLCnext Control provides project data integrity checks, information's about the default configuration are provided in the topic Checking project data integrity.
Vendor Fix PLCnext Control security feature set and hardening are continuously improved. Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information's and firmware regularly. We recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.
References
Acknowledgments
CERT@VDE certvde.com
Dragos, Inc. Reid Wightman
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Reid Wightman"
        ],
        "organization": "Dragos, Inc.",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "PLCnext Control provides authentication and integrity check for the application.An authenticated, skilled attacker might be able to manipulate the application (e.g.: logic files, executable logic, configurations) in a special crafted way that the integrity check will not be able to recognize these tampering attempts which are then difficult to remove.\nPLCnext Engineer warns users if the PLC logic is different from the current loaded project when Online mode is activated. In addition, during loading an application on the PLC, a Project Integrity Warning logging entry is generated.A skilled attacker might be able to manipulate the application in a special crafted way that the integrity check will not be able to recognize tampering attempts.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The identified vulnerabilities allow\u00a0to download and execute manipulated applications on PLCnext Control. Potential tampered applications might not be discovered.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "PLCnext Control is developed and designed for use in protected industrial networks. \n\nIn this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.\n\nThis concept is supported by organizational measures in the production facility as part of a security management system. \n\nTo achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.\n\nThis applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.\n\nProject data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.\n\nFor general information and recommendations on security measures to protect network-enabled devices, refer to the application note:\n\nApplication note Security\nPLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management, and integrity checks. \n\nThese features can reduce the attack surface of this vulnerability.\nFor more information\u0027s refer to the PLCnext Info Centers.\n\nPLCnext Control provides project data integrity checks, information\u0027s about the default configuration are provided in the topic Checking project data integrity.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "PLCnext Control security feature set and hardening are continuously improved. Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information\u0027s and firmware regularly.\n\n\n\n\n\nWe recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2023-058: Phoenix Contact: PLCnext Control prone to download of code without integrity check - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2023-058/"
      },
      {
        "category": "self",
        "summary": "VDE-2023-058: Phoenix Contact: PLCnext Control prone to download of code without integrity check - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-058.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      }
    ],
    "title": "Phoenix Contact: PLCnext Control prone to download of code without integrity check",
    "tracking": {
      "aliases": [
        "VDE-2023-058"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-04-16T14:32:06.695Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.23"
        }
      },
      "id": "VDE-2023-058",
      "initial_release_date": "2023-12-12T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-12-12T07:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "AXC F 1152",
                "product": {
                  "name": "AXC F 1152",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1151412"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "AXC F 2152",
                "product": {
                  "name": "AXC F 2152",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2404267"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "AXC F 3152",
                "product": {
                  "name": "AXC F 3152",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1069208"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "BPC 9102S",
                "product": {
                  "name": "BPC 9102S",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1246285"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "EPC 1502",
                "product": {
                  "name": "EPC 1502",
                  "product_id": "CSAFPID-11005",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1185416"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "EPC 1522",
                "product": {
                  "name": "EPC 1522",
                  "product_id": "CSAFPID-11006",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1185423"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "RFC 4072R",
                "product": {
                  "name": "RFC 4072R",
                  "product_id": "CSAFPID-11008",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1136419"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "RFC 4072S",
                "product": {
                  "name": "RFC 4072S",
                  "product_id": "CSAFPID-11009",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1051328"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=2024.0",
                "product": {
                  "name": "Firmware \u003c=2024.0",
                  "product_id": "CSAFPID-21001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=2024.0",
                    "product": {
                      "name": "PLCnext Engineer \u003c=2024.0",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "PLCnext Engineer"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-51001"
        ],
        "summary": "Affected products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on AXC F 1152",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on AXC F 2152",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on AXC F 3152",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on BPC 9102S",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on EPC 1502",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on EPC 1522",
          "product_id": "CSAFPID-31006"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11006"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on RFC 4072R",
          "product_id": "CSAFPID-31008"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11008"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2024.0 installed on RFC 4072S",
          "product_id": "CSAFPID-31009"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11009"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-46144",
      "cwe": {
        "id": "CWE-494",
        "name": "Download of Code Without Integrity Check"
      },
      "notes": [
        {
          "category": "description",
          "text": "A download of code without integrity check vulnerability in PLCnext products allows an remote attacker with low privileges to compromise integrity on the affected engineering station and the connected devices.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "PLCnext Control is developed and designed for use in protected industrial networks. In this approach, the production plant is protected against attacks, especially from the outside, by a multi-level perimeter, including firewalls, and by dividing the plant into OT zones using firewalls.\nThis concept is supported by organizational measures in the production facility as part of a security management system. To achieve security, measures are required at all levels. It must be ensured that the application is always transferred or stored in protected environments.\nThis applies to both data in transmission and data at rest. Connections between the engineering tools (PLCnext Engineer) and PLCnext Control must always be in a locally protected environment or, in the case of remote access, protected by VPN.\nProject data should not be sent as a file via email or other transmission mechanisms without additional integrity and authenticity checks. Project data should only be stored in protected environments.\nFor general information and recommendations on security measures to protect network-enabled devices, refer to the application note:Application note Security\nPLCnext Control provides a feature set that supports users in setting up a separated protected environment, for example, by using separated Ethernet ports, firewalls, user and certificate management, and integrity checks. These features can reduce the attack surface of this vulnerability.\nFor more information\u0027s refer to the PLCnext Info Centers.\n\nPLCnext Control provides project data integrity checks, information\u0027s about the default configuration are provided in the topic Checking project data integrity.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "PLCnext Control security feature set and hardening are continuously improved. Please check the PLCnext Control product download pages for updated versions and the PSIRT webpage https://phoenixcontact.com/psirt for updated information\u0027s and firmware regularly.\n\n\n\n\n\nWe recommend that our customers always use the latest LTS versions, as known security vulnerabilities are regularly fixed. The latest version at the time of publication of this advisory is 2023.0.7 LTS Hotfix.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalScore": 7.7,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "temporalScore": 7.7,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31008",
            "CSAFPID-31009",
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2023-46144"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.