PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager

Plan PatchCVSS 9.8VDE-2022-007Mar 22, 2022

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability exists in SharpZipLib, a TAR/ZIP extraction library used by Phoenix Contact's PLCnext Technology toolchain and FL Network Manager. Versions prior to SharpZipLib 1.3.3 allow crafted TAR or ZIP files with directory traversal sequences (../evil.txt) to extract files outside their intended directory. This enables arbitrary file write on the host system, potentially leading to code execution. PLCnext Technology toolchain for Windows versions prior to 2022.0 LTS and FL Network Manager versions prior to 6.0.1 are affected.

What this means

What could happen

An attacker could write arbitrary files to a Windows system running the affected toolchain or FL Network Manager by crafting a malicious TAR/ZIP file, potentially allowing code execution on the engineering workstation or device managing your PLC network.

Who's at risk

Manufacturing facilities and utilities using PLCnext Technology toolchain on Windows engineering workstations or FL Network Manager to manage Phoenix Contact PLC networks and devices. Any operator or engineer who imports device snapshots, configuration files, or software archives from external sources is at risk.

How it could be exploited

An attacker crafts a TAR or ZIP file with path traversal entries (e.g., ../evil.txt) and tricks a user into extracting it via the PLCnext toolchain or FL Network Manager. The vulnerable SharpZipLib library extracts files outside the intended directory, allowing arbitrary file write. If the attacker writes to a system directory or executable path, code execution can follow.

Prerequisites

User must extract or import a malicious TAR/ZIP file via PLCnext Technology toolchain or FL Network Manager
Affected version of toolchain or FL Network Manager must be installed on the system
No authentication required; exploitation occurs during normal file extraction operation

remotely exploitableno authentication requiredlow complexityarbitrary file write leading to code execution on engineering workstationaffects PLC configuration and control systems

Exploitability

Some exploitation risk — EPSS score 1.6%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FL Network Manager <=6.0≤ 6.06.0.1

PLCnext Technology tool chain for Windows <2022.0 LTS<2022.0 LTS2022.0 LTS

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDOnly import Device Snapshots and TAR/ZIP files from trusted, verified sources

HARDENINGRestrict file import and extraction operations to trusted engineering personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PLCnext Technology toolchain for Windows to version 2022.0 LTS or later

HOTFIXUpdate FL Network Manager to version 6.0.1 or later

CVEs (2)

CVE-2021-32840 CVE-2021-32842

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f9ceba12-595f-464c-a1a5-214f63a8d868

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.