PHOENIX CONTACT: Multiple Linux component vulnerabilities in PLCnext Firmware

Act Now9.8VDE-2022-046Nov 10, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Linux components used within PLCnext Firmware affecting memory management, authentication, and input validation. These include integer overflow, use-after-free, weak authentication, buffer overflow, and various memory safety issues. PLCnext Control AXC F x152 is certified per IEC 62443-4-1 and IEC 62443-4-2, which require regular checks of third-party components for known vulnerabilities. Patches are available for all affected products.

What this means

What could happen

An attacker with network access to a vulnerable PLCnext controller could execute arbitrary code with full control, potentially allowing them to alter process setpoints, stop production, or manipulate critical control logic in power generation or manufacturing facilities.

Who's at risk

Power utilities and manufacturing facilities using Phoenix Contact PLCnext Control controllers (AXC F x152 series, BPC 9102S, RFC 4072S, ENERGY AXC PU, EPC 1502/1522, SMARTRTU AXC SG) should be concerned. These devices are critical process controllers in power generation, distribution, and industrial automation systems.

How it could be exploited

An attacker on the network sends a specially crafted request to the vulnerable device on the Ethernet port. The Linux components in the PLCnext firmware (affecting memory management, authentication, and input validation) process the malicious input without proper validation and execute attacker-controlled code. No user interaction or credentials are required.

Prerequisites

Network access to the device's Ethernet port (port 22, 80, 443, or 502 depending on enabled services)
Device running vulnerable firmware version prior to LTS release dates

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS (9.8)Affects industrial control systems in critical infrastructureMultiple memory corruption vulnerabilities

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

AXC F 1152<2022.0.8 LTS2022.0.8 LTS

AXC F 2152<2022.0.8 LTS2022.0.8 LTS

AXC F 3152<2022.0.8 LTS2022.0.8 LTS

BPC 9102S<2022.0.8 LTS2022.0.8 LTS

ENERGY AXC PU<V04.14.00.00V04.14.00.00

EPC 1502<2022.0.7 LTS2022.0.7 LTS

EPC 1522<2022.0.7 LTS2022.0.7 LTS

RFC 4072S<2022.0.8 LTS2022.0.8 LTS

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGPlace all PLCnext network-capable devices in a closed or isolated network segment, separate from untrusted networks

HARDENINGDeploy a firewall to restrict inbound network access to PLCnext devices to only necessary management ports and trusted sources

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate AXC F 1152, AXC F 2152, AXC F 3152, BPC 9102S, RFC 4072S to firmware 2022.0.8 LTS or later

ENERGY AXC PU

HOTFIXUpdate ENERGY AXC PU to firmware V04.14.00.00 or later

EPC 1502

HOTFIXUpdate EPC 1502 and EPC 1522 to firmware 2022.0.7 LTS or later

SMARTRTU AXC SG

HOTFIXUpdate SMARTRTU AXC SG to firmware V01.09.00.00 or later

All products

HOTFIXUpdate PLCnext Engineer (engineering workstation software) to the latest LTS release

CVEs (83)

CVE-2022-29824 CVE-2022-23308 CVE-2022-28391 CVE-2022-0547 CVE-2022-1381 CVE-2022-1420 CVE-2022-1733 CVE-2022-1796 CVE-2022-1621 CVE-2022-1616 CVE-2022-25313 CVE-2021-45117 CVE-2022-1619 CVE-2022-25235 CVE-2022-25236 CVE-2022-1629 CVE-2022-1735 CVE-2022-1769 CVE-2022-1785 CVE-2022-1620 CVE-2022-1674 CVE-2022-1771 CVE-2022-1886 CVE-2022-1851 CVE-2022-1898 CVE-2022-1720 CVE-2018-25032 CVE-2022-22576 CVE-2022-27778 CVE-2022-27779 CVE-2022-27782 CVE-2022-27774 CVE-2022-25314 CVE-2022-25315 CVE-2022-27776 CVE-2022-30115 CVE-2022-27780 CVE-2022-27781 CVE-2022-27775 CVE-2022-32207 CVE-2022-32206 CVE-2022-32208 CVE-2022-32205 CVE-2019-19906 CVE-2022-24407 CVE-2022-1154 CVE-2022-0943 CVE-2022-1160 CVE-2022-0729 CVE-2022-0572 CVE-2022-0696 CVE-2022-0685 CVE-2022-0714 CVE-2022-0361 CVE-2022-0368 CVE-2021-3973 CVE-2021-3796 CVE-2021-4166 CVE-2022-1927 CVE-2022-1942 CVE-2022-2129 CVE-2022-2175 CVE-2022-2182 CVE-2022-0778 CVE-2022-2183 CVE-2022-2343 CVE-2022-2207 CVE-2022-2210 CVE-2022-2344 CVE-2022-2345 CVE-2022-2208 CVE-2022-2231 CVE-2022-2287 CVE-2022-2285 CVE-2022-2284 CVE-2022-2286 CVE-2022-2289 CVE-2022-2288 CVE-2022-2264 CVE-2022-2206 CVE-2022-2257 CVE-2022-29862 CVE-2022-29864

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/57336919-286a-41d1-b9f5-a6d42821ac6c