Phoenix Contact: PLCnext Engineer Vulnerabilities in LibGit2Sharp/LibGit2

Act Now9.8VDE-2023-016Aug 8, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Several vulnerabilities exist in the LibGit2Sharp library used by PLCnext Engineer for version control. These vulnerabilities allow remote code execution, privilege escalation, and tampering with project files. An attacker can exploit these flaws by providing malicious Git repositories or git configuration data, leading to arbitrary code execution on the engineering workstation with the privileges of the user running PLCnext Engineer.

What this means

What could happen

An attacker with network access to a PLCnext Engineer workstation could execute arbitrary code or modify project files by exploiting vulnerabilities in the Git version control component, potentially altering PLC logic, credentials, or safety configurations.

Who's at risk

Manufacturing facilities using PLCnext Engineer on engineering workstations for PLC programming and configuration. This affects any operator or engineer who uses Git-based version control features for storing and managing PLC project code.

How it could be exploited

The attacker sends a malicious Git repository or git configuration file to a PLCnext Engineer user (or reaches the engineering workstation over the network). When the engineer opens or interacts with the repository in PLCnext Engineer, the vulnerable LibGit2Sharp library processes the malicious data and executes attacker code with the engineer's privileges, allowing modification of PLC programs before deployment.

Prerequisites

Network access to PLCnext Engineer workstation on port used for Git operations or file transfer
User opens or interacts with a crafted Git repository in PLCnext Engineer

remotely exploitableno authentication requiredlow complexityaffects safety systemshigh CVSS (9.8)

Affected products (1)

ProductAffected VersionsFix Status

PLCnext Engineer <=2023.3≤ 2023.32023.6.

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDisable or avoid using the version control feature in PLCnext Engineer versions prior to 2023.6

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PLCnext Engineer to version 2023.6 or later

Long-term hardening

0/1

HARDENINGRestrict network access to PLCnext Engineer workstations to trusted engineering networks only

CVEs (11)

CVE-2019-1387 CVE-2019-1354 CVE-2019-1353 CVE-2019-1352 CVE-2019-1351 CVE-2019-1350 CVE-2019-1349 CVE-2019-1348 CVE-2018-11235 CVE-2022-24765 CVE-2022-29187

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3c66fa9-68a8-4f4f-b858-9550bdaa439b