PHOENIX CONTACT: Local Privilege Escalation in PC WORX SRT
Monitor7.8VDE-2020-012Mar 27, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
PC WORX SRT versions 1.14 and earlier are installed as Windows services with insecure file system permissions on their installation directory. Any local unprivileged user can write arbitrary files to the installation path, including service binaries and configuration files. This allows privilege escalation by modifying files that are executed with elevated service account privileges.
What this means
What could happen
An unprivileged local user (anyone with a login account on the system) can write arbitrary files to the PC WORX SRT installation directory, allowing them to modify service binaries or configuration files and escalate privileges to the service account.
Who's at risk
Engineering and automation teams at water utilities and electric utilities that use Phoenix Contact PC WORX SRT software for programming and configuring automation controllers. This affects Windows workstations and engineering servers where unprivileged staff or contractors have local login access.
How it could be exploited
An attacker with a local user account on the Windows system running PC WORX SRT can exploit insecure folder permissions on the installation directory. They can replace or modify service binaries or configuration files, which are then executed with elevated privileges when the service restarts, giving the attacker full control of the process.
Prerequisites
- Local user account on the system running PC WORX SRT
- PC WORX SRT installed as a service with default insecure permissions
- Service restart or reboot to execute modified binaries
Low complexity to exploitOnly requires local user account accessHigh impact: privilege escalation to service accountNo patch available yet (version 1.15+ status unknown)
Affected products (1)
ProductAffected VersionsFix Status
Software PC WORX SRT <=1.14≤ 1.14No fix yet
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict NTFS permissions on the PC WORX SRT installation directory to deny write access for unprivileged users; grant read/execute only to the service account and administrators
HARDENINGLimit local user accounts on systems running PC WORX SRT to trusted personnel only; audit and remove unnecessary user accounts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate PC WORX SRT to version 1.15 or later if available from Phoenix Contact
Long-term hardening
0/1HARDENINGDeploy PC WORX SRT only on dedicated single-user systems or isolated workstations not shared with general users, where feasible
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/05da8cc0-7e2e-4082-a76e-03114e1218c2