OTPulse

PHOENIX CONTACT RAD-80211-XD

Plan PatchCVSS 9.9ICS-CERT ICSA-19-085-02Mar 25, 2019
Phoenix ContactEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

The RAD-80211-XD and RAD-80211-XD/HP-BUS wireless radio modules contain a command injection vulnerability (CWE-77) that allows an authenticated attacker to execute arbitrary system commands with administrative privileges on the device. The vulnerability has a CVSS score of 9.9 due to its ability to compromise confidentiality, integrity, and availability across connected systems. Phoenix Contact has removed these products from active maintenance due to obsolescence and will not provide a firmware patch. The vendor recommends upgrading to the active FL WLAN product line or restricting network access via firewall protection.

What this means
What could happen
An attacker with valid credentials and network access to a RAD-80211-XD radio module could execute system commands with administrative privileges, potentially disrupting wireless connectivity or altering configurations in connected control systems.
Who's at risk
Water utilities and electric utilities using Phoenix Contact RAD-80211-XD or RAD-80211-XD/HP-BUS wireless radio modules for remote telemetry, SCADA communications, or distributed control node connectivity should be concerned. Any organization relying on these obsolete wireless access points for ICS network communications is at risk.
How it could be exploited
An attacker who can reach the device on the network and has valid login credentials could submit a specially crafted command to the device, which would execute with administrative privileges. This could be used to gain control over the radio module's operation or extract sensitive configuration data.
Prerequisites
  • Network access to the RAD-80211-XD radio module on port 80 or management interface
  • Valid user login credentials for the device
remotely exploitablerequires valid credentialsno patch availableno vendor support (end of life)affects industrial control system communications
Exploitability
Some exploitation risk — EPSS score 4.3%
Affected products (4)
2 pending2 EOL
ProductAffected VersionsFix Status
RAD-80211-XDAll versionsNo fix (EOL)
RAD-80211-XD/HP-BUSAll versionsNo fix (EOL)
RAD-80211-XD: (2885728)2885728No fix yet
RAD-80211-XD/HP-BUS: (2900047)2900047No fix yet
Remediation & Mitigation
0/5
Do now
0/4
RAD-80211-XD
HARDENINGOperate RAD-80211-XD radio modules only in closed, isolated networks not connected to untrusted networks
HARDENINGDeploy firewall rules to restrict network access to RAD-80211-XD devices from all external networks
HARDENINGIsolate RAD-80211-XD radio modules from the business network using network segmentation
HARDENINGDisable remote access to RAD-80211-XD devices unless absolutely necessary; if required, use VPN with current security patches
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

RAD-80211-XD
HOTFIXUpgrade to Phoenix Contact active FL WLAN product line to replace obsolete RAD-80211-XD devices
View full CISA ICS-CERT advisory
API: /api/v1/advisories/01dd3e25-8727-4d70-8d0d-9c8eb9360318

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

PHOENIX CONTACT RAD-80211-XD | CVSS 9.9 - OTPulse