PHOENIX CONTACT: Improper path sanitation on import of project files in PLCnext Engineer

Plan Patch8.2VDE-2020-025Jul 21, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

PLCnext Engineer version 2020.3.1 and earlier contain improper path sanitation in the project file import process. An attacker can manipulate the build settings within a .pcwex project file to execute arbitrary code when an engineer builds the project. The vulnerability requires the attacker to gain access to the project file and place payload files accessible to the workstation, but successful exploitation results in code execution on the engineering machine during the build process.

What this means

What could happen

An attacker with access to a PLCnext Engineer project file can insert malicious code that executes on the engineer's workstation during the build process, potentially compromising the device and enabling further attacks on your control systems network.

Who's at risk

Manufacturing facilities using PLCnext Engineer to develop and deploy PLC and edge controller firmware. This includes engineers and technicians who work with Phoenix Contact PLCnext programmable logic controllers and industrial systems.

How it could be exploited

An attacker obtains or intercepts a .pcwex project file, modifies the build settings to include malicious code or commands, and tricks an engineer into opening and building the project in PLCnext Engineer. When the build runs, the malicious code executes on the workstation with the engineer's privileges.

Prerequisites

Access to a PLCnext Engineer project file (.pcwex)
Ability to modify the project file and place payload files where the build system can access them
An engineer must import and build the malicious project

low complexity attackrequires local machine access but social engineering viableaffects engineering workstations that manage production devicespath traversal vulnerability can lead to arbitrary code execution

Affected products (1)

ProductAffected VersionsFix Status

Software PLCnext Engineer <=2020.3.1≤ 2020.3.12020.6

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGOnly import project files from trusted, verified sources

WORKAROUNDUse secure file transfer methods (TLS/SFTP, VPN) instead of unencrypted email when exchanging project files

WORKAROUNDVerify project file integrity using checksums provided by the source before opening or building

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PLCnext Engineer to version 2020.6 or later

CVEs (1)

CVE-2020-12499

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b4c1f5af-af10-44f8-8db5-272eb89aad96