Phoenix Contact Industrial Switch Exposes High Risk Vulnerabilities

Security company Positive Technologies has discovered four flaws in the industrial Ethernet switch from Phoenix Contact in Germany. These vulnerabilities can be remotely exploited to trigger DoS conditions, execute arbitrary code, and obtain potentially sensitive information.

Phoenix Contact is a German provider of industrial automation, connectivity and interface solutions. Its products are mainly used in critical infrastructure areas such as communications, key manufacturing and information technology industries. The company has 50 subsidiaries and 30 offices worldwide.

The four vulnerability numbers are CVE-2018-10728, CVE-2018-10730, CVE-2018-10731, and CVE-2018-10729.

• The most serious vulnerability was CVE-2018-10730 with a CVSS score of 9.1 . If the configuration file can be transmitted to the switch or transmitted from the switch, the attacker can upgrade the firmware to execute any OS shell command. The German CERT @ VDE has issued a security bulletin which states that an attacker can use this vulnerability to create an executable file and use the integrity of the managed FL SWITCH, such as denying the switch to perform network access.
• High-Risk Vulnerability CVE-2018-10731, CVSS score of 9.0 : This vulnerability is a stack-based buffer overflow vulnerability that can be exploited to gain unauthorized access to the device’s OS file and inject executable code.
• Stack-Based Buffer Overflow Vulnerability CVE-2018-10728 : Affects the FL SWITCH product and can be exploited to initiate a DoS attack and execute arbitrary code. An attacker can use this vulnerability to disable Web and Telnet services.
• Medium Vulnerability CVE-2018-10729 : Allows an unauthenticated attacker to read the device’s profile content.

These vulnerabilities affect the running firmware version 1.0 to 1.33 of Phoenix Contact FL SWITCH 3xxx, 4xxx and 48xx series devices, these vulnerabilities have been fixed in version 1.34 in. Vulnerability details and firmware upgrade address see here.

The researchers pointed out that this time the switch was not found directly connected to the network, these devices are usually used only for the internal PLC network.