PHOENIX CONTACT Automation Worx Software Suite

Monitor7.8ICS-CERT ICSA-19-171-01Jun 20, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple memory corruption vulnerabilities (CWE-824 buffer over-read, CWE-125 out-of-bounds read, CWE-416 use-after-free) in PHOENIX CONTACT Automation Worx Software Suite allow remote code execution when a user opens a malicious project file. Affected versions: PC Worx, PC Worx Express, and Config+ through version 1.86. PHOENIX CONTACT states the next version is in development; no timeline for availability provided.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running PC Worx or Config+ if a user opens a malicious project file, potentially compromising engineering systems and the ability to manage plant controls.

Who's at risk

Engineering teams using PHOENIX CONTACT PC Worx or Config+ software to design, configure, and manage automated control systems. This affects organizations in manufacturing, utilities, and industrial automation that rely on these tools for PLC and automation device programming.

How it could be exploited

An attacker crafts a malicious PC Worx or Config+ project file and tricks a user into opening it via email or file sharing. When the file is opened in the vulnerable software, memory corruption bugs (CWE-824, CWE-125, CWE-416) allow the attacker to execute arbitrary code with the permissions of the user.

Prerequisites

User must open a malicious project file (.pjx or equivalent) in PC Worx or Config+
Attack delivered via email, file sharing service, or social engineering
No prior authentication or network access required

Requires user interaction (opening a file)No patch availableMemory corruption vulnerabilities can lead to code executionSocial engineering attack vector

Exploitability

Moderate exploit probability (EPSS 2.0%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

PC Worx Automation Worx Software Suite:≤ 1.86No fix (EOL)

PC Worx Express Automation Worx Software Suite:≤ 1.86No fix (EOL)

Config+ Automation Worx Software Suite:≤ 1.86No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDo not open project files (.pjx) from untrusted sources or unsolicited email attachments

HARDENINGUse only secure file exchange services when sharing PC Worx or Config+ project files with colleagues and partners

HARDENINGDo not use unencrypted email to exchange project files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGTrain engineering staff to recognize phishing attempts and social engineering tactics related to project file sharing

HOTFIXUpgrade to the next version of Automation Worx Software Suite when Phoenix Contact releases it

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PC Worx Automation Worx Software Suite:, PC Worx Express Automation Worx Software Suite:, Config+ Automation Worx Software Suite:. Apply the following compensating controls:

HARDENINGMonitor for suspicious file sharing activity and project file modifications

CVEs (3)

CVE-2019-12870 CVE-2019-12869 CVE-2019-12871

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7e0465d7-2ee7-4198-838f-a5b45ad7d3f4