Phoenix Contact Automation Worx

Plan PatchCVSS 7.8ICS-CERT ICSA-22-326-03Nov 15, 2022

Phoenix Contact

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Phoenix Contact Automation Worx Software Suite versions 1.89 and earlier contain heap buffer overflow and read access violation vulnerabilities in how the applications parse project files. These are triggered when a user opens a malicious project file, leading to potential code execution with user-level privileges on the affected workstation. The vulnerabilities affect Config+, PC Worx, and PC Worx Express components. No public exploits are currently known, and the vulnerabilities are not remotely exploitable; they require a user to open a crafted file.

What this means

What could happen

A user who opens a malicious Automation Worx project file could trigger a heap buffer overflow or memory access violation, allowing arbitrary code execution on their engineering workstation with user privileges. This could allow an attacker to compromise the workstation and potentially move laterally to connected control systems.

Who's at risk

Engineering teams and automation specialists who use Phoenix Contact Automation Worx Software Suite (Config+, PC Worx, or PC Worx Express) to design and manage programmable logic controllers (PLCs), process control systems, and industrial automation equipment. This affects anyone exchanging project files within a water authority, electric utility, or manufacturing facility using these tools.

How it could be exploited

An attacker sends a malicious Automation Worx project file (via email or file sharing) to an engineer. When the engineer opens the file in Automation Worx Software Suite, the application processes the file incorrectly, triggering a heap buffer overflow or read access violation. This leads to arbitrary code execution on the workstation running under the user's privileges.

Prerequisites

User must open a malicious project file in one of the affected Automation Worx applications
Affected versions: Automation Worx Software Suite Config+ version 1.89 or earlier, PC Worx version 1.89 or earlier, or PC Worx Express version 1.89 or earlier

Memory safety vulnerability (heap buffer overflow, read access violation)No patch available for affected versionsDelivery vector is file-based (email or file sharing)Could compromise engineering workstations and facilitate lateral movement to control systemsLow exploit complexity

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

3 with fix3 EOL

ProductAffected VersionsFix Status

Automation Worx Software Suite - Config+:≤ 1.89No fix (EOL)

Automation Worx Software Suite - PC Worx:≤ 1.89No fix (EOL)

Config+ 1.0<=1.891.0≤ 1.891.90

PC Worx 1.0<=1.891.0≤ 1.891.90

PC Worx Express 1.0<=1.891.0≤ 1.891.90

Automation Worx Software Suite - PC Worx Express:≤ 1.89No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDExchange Automation Worx project files only via secure file exchange services; do not send project files via unencrypted email

HARDENINGEducate engineering staff not to open project files from unknown or untrusted sources without verification

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Automation Worx Software Suite to the latest available version (newer than 1.89)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Automation Worx Software Suite - Config+:, Automation Worx Software Suite - PC Worx:, Automation Worx Software Suite - PC Worx Express:. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate engineering workstations running Automation Worx from the general business network

HARDENINGIf remote access to engineering workstations is necessary, use VPN with multi-factor authentication and keep VPN software updated

CVEs (2)

CVE-2022-3461 CVE-2022-3737

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/12893321-16b1-4b7f-8759-061bbd3059e1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.