PHOENIX CONTACT: Multiple Linux component vulnerabilities fixed in latest AXC F x152 LTS release

Act NowCVSS 9.8VDE-2022-010Apr 12, 2022

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Phoenix Contact AXC F x152 controllers contain multiple vulnerabilities in third-party Linux kernel components and libraries integrated into the firmware. The vulnerabilities include buffer overflows (CWE-120, CWE-787), null pointer dereferences (CWE-476), integer overflows (CWE-190), missing authentication checks (CWE-306), and improper input validation (CWE-20). These affect AXC F 1152, AXC F 2152, AXC F 3152, and RFC 4072 devices running firmware versions prior to 2022.0.3 LTS (AXC F 1152/2152) or 2022.0.5 LTS (AXC F 3152/RFC 4072). The vulnerabilities were addressed through updates to integrated third-party libraries and SDKs in the LTS firmware releases.

What this means

What could happen

An attacker with network access to an AXC F x152 controller could exploit multiple vulnerabilities in the Linux kernel and third-party libraries to execute arbitrary code, crash the controller, or bypass authentication, potentially disrupting manufacturing process control and safety interlocks.

Who's at risk

Manufacturing facilities using Phoenix Contact AXC F x152 series programmable logic controllers (AXC F 1152, AXC F 2152, AXC F 3152) and RFC 4072 modules for process automation, production line control, and safety-critical operations. Any facility where these devices connect to an Ethernet network.

How it could be exploited

An attacker on the network sends a specially crafted packet or request to the AXC F x152 controller. The vulnerable kernel or library component processes the input without proper validation (buffer overflow, null pointer dereference, or other memory corruption), allowing the attacker to run arbitrary commands with the privilege level of the affected component.

Prerequisites

Network-level access to the AXC F x152 controller (Ethernet)
Device must be running a firmware version prior to 2022.0.3 LTS (AXC F 1152/2152) or 2022.0.5 LTS (AXC F 3152/RFC 4072)
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexitycritical CVSS (9.8)multiple vulnerabilities in kernel and third-party librariesaffects industrial control systems

Exploitability

Likely to be exploited — EPSS score 73.2%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

AXC F 1152<2022.0.3 LTS2022.0.3 LTS

AXC F 2152<2022.0.3 LTS2022.0.3 LTS

AXC F 3152<2022.0.5 LTS2022.0.5 LTS

RFC 4072<2022.0.5 LTS2022.0.5 LTS

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGIsolate AXC F x152 controllers in a protected network segment or place them behind a firewall that blocks unsolicited inbound traffic from untrusted networks

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate AXC F 1152 firmware to version 2022.0.3 LTS or higher

AXC F 2152

HOTFIXUpdate AXC F 2152 firmware to version 2022.0.3 LTS or higher

AXC F 3152

HOTFIXUpdate AXC F 3152 firmware to version 2022.0.5 LTS or higher when available

RFC 4072

HOTFIXUpdate RFC 4072 firmware to version 2022.0.5 LTS or higher

All products

HOTFIXUpdate PLCnext Engineer to release 2022.0.1 LTS or higher

CVEs (60)

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9665af36-7b11-470c-b86e-628327f06cd6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.