Critical Flaws Patched in Phoenix Contact Industrial Switches
21.5.2018 securityweek  ICS

Several vulnerabilities, including ones rated critical and high severity, have been patched in industrial ethernet switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.

The vulnerabilities, described in advisories published recently by ICS-CERT and its German counterpart CERT@VDE, can be exploited remotely to cause a denial-of-service (DoS) condition, execute arbitrary code, and gain access to potentially sensitive information.

The security holes, discovered by researchers at Positive Technologies, impact Phoenix Contact FL SWITCH 3xxx, 4xxx, 48xx series devices running firmware versions 1.0 through 1.33. The flaws have been patched by the vendor with the release of version 1.34.Several vulnerabilities patched in Phoenix Contact industrial switches

The most serious of the vulnerabilities, based on its CVSS score of 9.1, is CVE-2018-10730, which allows an attacker who has permission to transfer configuration files to/from the switch or permission to upgrade the firmware to execute arbitrary OS shell commands.

“CGI applications config_transfer.cgi and software_update.cgi are prone to OS command injection through targeted manipulation of their web-request headers,” CERT@VDE said in an advisory. “If the vulnerability is exploited, the attacker may create their own executable files that could further exploit the integrity of the managed FL SWITCH. For example, the attacker may deny switch network access.”

The second most serious issue, with a CVSS score of 9.0, is CVE-2018-10731. This flaw, caused by a stack-based buffer overflow, can be exploited to gain unauthorized access to the device’s OS files and inject executable code.

Another stack-based buffer overflow affecting FL SWITCH products is CVE-2018-10728, which can be exploited for DoS attacks and executing arbitrary code. An attacker can leverage this flaw to disable Web and Telnet services, CERT@VDE warned.

Several vulnerabilities patched in Phoenix Contact industrial switches

The last vulnerability patched by Phoenix Contact in its industrial switches is a medium severity weakness that allows an unauthenticated attacker to read the content of a device’s configuration file.

This is not the first time researchers from Positive Technologies have found vulnerabilities in switches from Phoenix Contact. In January, ICS-CERT and CERT@VDE disclosed flaws that could have been exploited to gain full control of affected devices and possibly interrupt operations in the ICS network.

Researchers said at the time that they had not found any of these switches connected directly to the Internet and noted that these devices are typically used for internal PLC networks.