PHOENIX CONTACT: Security Advisory for PLCNext, ILC 2050 BI, FL MGUARD DM UNLIMITED, TC ROUTER und CLOUD CLIENT products
Plan Patch7.4VDE-2021-025Jun 23, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Multiple OpenSSL 1.1.1 vulnerabilities (CWE-295: Improper Certificate Validation, CWE-476: NULL Pointer Dereference) exist in Phoenix Contact network-capable products. These flaws enable denial of service attacks (device crash/reboot) and bypass of certificate authority validation checks, potentially allowing man-in-the-middle attacks on encrypted communications. Affected product families include PLCnext controllers, ILC 2050 BI industrial PCs, TC ROUTER gateways, CLOUD CLIENT remote management devices, and FL MGUARD firewalls. Some products have vendor patches available, while others (CLOUD CLIENT 2002T series, ILC 2050 BI, TC ROUTER 4000 series, ENERGY AXC PU, SMARTRTU AXC series) have no fix planned.
What this means
What could happen
An attacker with network access could trigger a denial of service that crashes the device, halting communications and data collection, or exploit weak certificate validation to perform man-in-the-middle attacks and potentially intercept or modify sensitive process communications.
Who's at risk
Energy utilities, water authorities, and manufacturing facilities using Phoenix Contact PLCnext controllers, ILC 2050 BI industrial PCs, TC ROUTER gateways, CLOUD CLIENT remote management devices, and FL MGUARD firewalls. The vulnerability affects multiple product lines used for real-time process monitoring, remote supervisory access, and secure communications between field devices and control centers.
How it could be exploited
An attacker on the network sends specially crafted SSL/TLS messages to trigger a crash in the OpenSSL library (DoS), or impersonates a trusted server by presenting an invalid certificate that is not properly validated due to the CA check flaw, allowing interception of encrypted communications between the device and remote systems.
Prerequisites
- Network access to the device's Ethernet port or network segment where the device resides
- The device must accept inbound TLS/SSL connections or initiate outbound encrypted communications
Remotely exploitable over the networkNo authentication required for DoS attackAffects communication security in critical infrastructureMultiple product variants with no patch availableCould cause loss of remote visibility and control of distributed assets
Affected products (22)
12 with fix10 pending
ProductAffected VersionsFix Status
CLOUD CLIENT 1101T-TX/TX<2.06.52.06.5
CLOUD CLIENT 2002T-4G EU≤ 4.5.72.100No fix yet
CLOUD CLIENT 2002T-WLAN≤ 4.5.72.100No fix yet
CLOUD CLIENT 2102T-4G EU WLAN≤ 4.5.72.100No fix yet
ENERGY AXC PU≤ V4.10.0.0No fix yet
Remediation & Mitigation
0/7
Do now
0/2ILC 2050 BI
HARDENINGFor CLOUD CLIENT 2002T series, ILC 2050 BI series, TC ROUTER 4000 series, and other products with no vendor fix available, implement network segmentation to isolate affected devices from untrusted networks using a firewall
All products
WORKAROUNDDeploy firewall rules to restrict inbound TLS/SSL connections to affected devices to only authorized remote systems and engineering workstations
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
CLOUD CLIENT 1101T-TX/TX
HOTFIXUpdate CLOUD CLIENT 1101T-TX/TX to firmware version 2.06.5 or later
TC ROUTER 2002T-3G
HOTFIXUpdate TC ROUTER 2002T-3G, 3002T-4G, 3002T-4G ATT, and 3002T-4G VZW to firmware version 2.06.5 or later
AXC F 1152
HOTFIXUpdate AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and PLCnext Technology products running 2021.0 LTS to version 2021.0.5 LTS or later
FL MGUARD DM UNLIMITED
HOTFIXUpdate FL MGUARD DM UNLIMITED to firmware version 1.13 or later
All products
WORKAROUNDIf available, disable remote management or cloud connectivity features on affected devices until patched, if business operations allow
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b54f9215-7b67-4013-9281-47357342b23e