OTPulse

PHOENIX CONTACT: Security Advisory for PLCNext, SMARTRTU AXC, CHARX control modular and EEM-SB37x

MonitorCVSS 6.6VDE-2021-024May 4, 2021
Phoenix ContactEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary

A Time-of-Check-Time-of-Use (TOCTOU) vulnerability in Phoenix Contact firmware update mechanisms allows an attacker with access to the firmware file to replace it with malicious code after cryptographic validation but before installation is completed. This bypasses signature verification and allows installation of arbitrary firmware. The vulnerability affects PLCNext controllers (AXC F series), SMARTRTU AXC gateway devices, CHARX control modular units, RFC industrial routers, energy management devices (EEM-SB), and related Starterkit products used in energy and manufacturing automation.

What this means
What could happen
An attacker with access to the firmware update file could replace it with malicious firmware after validation but before installation, bypassing signature checks and gaining complete control of the device. This allows unauthorized code execution on critical control systems in energy and manufacturing plants.
Who's at risk
Energy utilities and manufacturing plants using Phoenix Contact PLCNext, SMARTRTU AXC, CHARX control modular, and EEM-SB energy management devices for process control, automation, and grid management. Any facility performing firmware updates on these controllers should assess their update procedures and network protection.
How it could be exploited
An attacker intercepts or modifies the firmware file on a device performing a firmware update. The device validates the cryptographic signature of the original file, but the attacker replaces the file contents before the installation completes. The device installs the malicious firmware, unaware the file was changed after verification.
Prerequisites
  • Access to the firmware update file during the update process (local file access or ability to intercept in-progress updates)
  • Knowledge of device update mechanism and timing
  • Ability to modify files on the device or in transit during the update window
No authentication required to exploit (file access during update)Time-of-check-time-of-use design flawSeveral products have no patch availableAffects control system firmware integrityCould lead to unauthorized code execution on critical infrastructure
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (15)
6 with fix9 EOL
ProductAffected VersionsFix Status
AXC F 1152≤ 2021.0 LTS2021.0.5 LTS
AXC F 2152≤ 2021.0 LTS2021.0.5 LTS
AXC F 2152 Starterkit≤ 2021.0 LTS2021.0.5 LTS
AXC F 3152≤ 2021.0 LTS2021.0.5 LTS
PLCnext Technology Starterkit≤ 2021.0 LTS2021.0.5 LTS
RFC 4072S≤ 2021.0 LTS2021.0.5 LTS
CHARX control modular 3000≤ V1.0.11No fix (EOL)
CHARX control modular 3050≤ V1.0.11No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
ENERGY AXC PU
HARDENINGFor CHARX control modular, SMARTRTU AXC SG/IG, ENERGY AXC PU, and EEM-SB370/371 products where no current fix is available, enforce network segmentation to prevent unauthorized access to update mechanisms until patches are released
All products
WORKAROUNDRestrict network access to firmware update mechanisms using firewall rules—only allow firmware updates from authorized engineering workstations on isolated networks
HARDENINGPerform firmware updates only on physically isolated networks or closed networks not connected to external networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

AXC F 1152
HOTFIXUpdate AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and all Starterkit products to firmware version 2021.0.5 LTS or later
View full CERT@VDE advisory
API: /api/v1/advisories/73284d8f-2b0a-42b6-a56d-82a34b28b25c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.