Phoenix Contact: Security Advisory for ESL Stick USB-A
Monitor4.2VDE-2025-005Jan 14, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability in the Infineon Technologies cryptographic library used in Phoenix Contact ESL STICK USB-A firmware versions below 4.5.2 allows extraction or forgery of ECDSA signatures. Exploitation requires physical access to the device and specialized equipment. The vulnerability affects only ECC keys used for ECDSA signature calculations. Phoenix Contact released firmware version 4.5.2 to fix this issue.
What this means
What could happen
An attacker with physical access to an ESL STICK USB-A device and special equipment could extract or forge ECDSA signatures, potentially allowing unauthorized code signing or authentication bypass on systems relying on these devices for cryptographic validation.
Who's at risk
Organizations using Phoenix Contact ESL STICK USB-A devices for cryptographic operations, code signing, or secure authentication in industrial automation, engineering workstations, or systems that rely on ECDSA-based digital signatures should upgrade their firmware.
How it could be exploited
An attacker must physically obtain an ESL STICK USB-A device and use specialized equipment (such as side-channel analysis tools or fault injection hardware) to exploit the cryptographic library vulnerability. The attack targets ECDSA signature calculations, allowing extraction of key material or signature forgery without valid credentials.
Prerequisites
- Physical access to the ESL STICK USB-A device
- Specialized equipment for side-channel or fault injection attacks
- Knowledge of ECDSA cryptographic operations
physical access requiredspecialized equipment requiredaffects cryptographic operationsECDSA signature compromise possible
Affected products (1)
ProductAffected VersionsFix Status
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all ESL STICK USB-A devices to firmware version 4.5.2 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5a26ecac-dfb6-432b-92a0-7b0c77bf286d