7.1 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.6 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
54.2%
CVSS v3 7.6
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Phoenix Contact
**Equipment:**PLCNext AXC F 2152
**Vulnerabilities:**Key Management Errors, Improper Access Control, Man-in-the-Middle, Using Component with Known Vulnerabilities
Successful exploitation of these vulnerabilities could allow an attacker to decrypt passwords, bypass authentication, and deny service to the device. In addition, these vulnerabilities could interact with third-party vulnerabilities to cause other impacts to integrity, confidentiality, and availability.
Phoenix Contact reports these vulnerabilities affect firmware Version 1.x for the following PLCNext AXC F 2152 products:
A remote attacker can exploit a serverβs private key by sending carefully constructed UserIdentityTokens encrypted with the Basic128Rsa15 security policy. This could allow an attacker to decrypt passwords even if encrypted with another security policy such as Basic256Sha256.
CVE-2018-7559 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L).
An attacker with physical access to the device can manipulate SD card data, which could allow an attacker to bypass the authentication of the device. This device is designed for use in a protected industrial environment with restricted physical access.
CVE-2019-10998 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker trying to connect to the device using a man-in-the-middle setup may crash the PLC service, resulting in a denial of service condition. The device must then be rebooted, or the PLC service must be restarted manually via Linux shell.
CVE-2019-10997 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
This product uses older versions of several open-source software components containing vulnerabilities that may affect availability, integrity, or confidentiality of the AXC F 2152. See the full list of CVE identifiers in CERT VDE advisory number VDE-2019-009.
Please see link in the Mitigations section for additional details.
Zahra Khani of Firmalyzer reported some of these vulnerabilities to NCCIC. The OPC Foundation reported some of these vulnerabilities to Phoenix Contact.
Phoenix Contact recommends affected users update to firmware release 2019.0 LTS or later, update to PLCNext Engineer release 2019.0 LTS or later, and apply the following specific mitigations below:
Phoenix Contact also recommends users operate the devices in closed networks or environments protected with a suitable firewall. For detailed information on recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note βArt.-Nr. 107913: AH EN INDUSTRIAL SECURITY - Measures to protect network-capable devices with Ethernet connection against unauthorized access,β which can be found at the following link:
For more information, CERT@VDE has released a security advisory available at the following link:
<https://cert.vde.com/en-us/advisories/vde-2019-009>
NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
NCCIC also recommends that users take the following measures to protect themselves from social engineering attacks:
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7559
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10997
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10998
cert.vde.com/en-us/advisories/vde-2019-009
cert.vde.com/en-us/advisories/vde-2019-009
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/300.html
cwe.mitre.org/data/definitions/320.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=PHOENIX%20CONTACT%20PLCNext%20AXC%20F%202152+https://www.cisa.gov/news-events/ics-advisories/icsa-19-155-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-19-155-01&title=PHOENIX%20CONTACT%20PLCNext%20AXC%20F%202152
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-19-155-01
www.oig.dhs.gov/
www.phoenixcontact.com/assets/downloads_ed/local_pc/web_dwl_technical_info/ah_en_industrial_security_107913_en_01.pdf
www.phoenixcontact.com/online/portal/us/?uri=pxc-oc-itemdetail:pid=2404267&library=usen&pcck=P-21-14-01&tab=1&selectedCategory=ALL
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-19-155-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=PHOENIX%20CONTACT%20PLCNext%20AXC%20F%202152&body=www.cisa.gov/news-events/ics-advisories/icsa-19-155-01
7.1 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.6 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
54.2%