PHOENIX CONTACT: Local Privilege Escalation in Portico Remote desktop control software

Plan Patch7.8VDE-2020-013Mar 27, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A local privilege escalation vulnerability exists in Phoenix Contact Portico Server client software (versions 16 CLIENT, SERVER 1 CLIENT, and SERVER 4 CLIENT up to version 3.0.7). When Portico runs as a service, a user with standard (non-admin) access to the machine can execute shell commands with administrator privileges through the Import/Export configuration dialog. This allows privilege escalation without administrative credentials. The vulnerability is fixed in version V3.0.8 or later.

What this means

What could happen

A local attacker with user-level access to a PC running Portico could escalate their privileges to administrator, allowing them to modify industrial device configurations or gain full control of the remote desktop software.

Who's at risk

Industrial facilities using Phoenix Contact Portico for remote desktop control of PLCs and other control devices should care. This affects operators and engineers who use Portico clients to manage distributed industrial systems, particularly in manufacturing, utilities, and process industries.

How it could be exploited

An attacker with a user account on the machine opens the Portico client software, accesses the Import/Export configuration dialog, and launches a command shell with administrator privileges. This gives them full control over Portico operations and any connected devices.

Prerequisites

Local user account on the machine running Portico client software
Access to the Portico application on that machine
Portico running as a service

locally exploitablelow complexityno authentication required for privilege escalation once local access is presentaffects control system management software

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Software PORTICO SERVER 16 CLIENT <=3.0.7≤ 3.0.7V3.0.8

Software PORTICO SERVER 1 CLIENT <=3.0.7≤ 3.0.7V3.0.8

PORTICO SERVER 4 CLIENT <=3.0.7≤ 3.0.7V3.0.8

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict user access to Portico Import/Export features to only trusted administrative users

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Portico Server to version V3.0.8 or higher on all affected clients (16 CLIENT, SERVER 1 CLIENT, SERVER 4 CLIENT)

Long-term hardening

0/1

HARDENINGLimit local user accounts on PCs running Portico to only personnel who require access; follow principle of least privilege

CVEs (1)

CVE-2020-10940

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d7660ca-eb16-4929-8657-80cec21fd816