Phoenix Contact TC ROUTER and TC CLOUD CLIENT

1. EXECUTIVE SUMMARY

• CVSS v3 9.6 *ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: Phoenix Contact
• Equipment: TC ROUTER and TC CLOUD CLIENT
• Vulnerabilities: Cross-site Scripting, XML Entity Expansion

2. RISK EVALUATION

Successful exploitation of this these vulnerabilities could execute code in the context of the user’s browser or cause a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Phoenix contact reports that the following products are affected:

• TC ROUTER 3002T-4G: versions prior to 2.07.2
• TC ROUTER 3002T-4G ATT: versions prior to 2.07.2
• TC ROUTER 3002T-4G VZW: versions prior to 2.07.2
• TC CLOUD CLIENT 1002-4G: versions prior to 2.07.2
• TC CLOUD CLIENT 1002-4G ATT: versions prior to 2.07.2
• TC CLOUD CLIENT 1002-4G VZW: versions prior to 2.07.2
• CLOUD CLIENT 1101T-TX/TX: versions prior to 2.06.10

3.2 Vulnerability Overview

3.2.1 Cross-site Scripting CWE-79

In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user’s browser.

CVE-2023-3526 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 XML Entity Expansion CWE-776

In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial of service.

CVE-2023-3569 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

A. Resanovic and S. Stockinger at St. Pölten UAS discovered these vulnerabilities. T. Weber of CyberDanube Security Research coordinated the vulnerabilities with Phoenix Contact.

4. MITIGATIONS

Phoenix Contact has made the following fixed versions available and encourages users to download the latest version:

• TC ROUTER 3002T-4G
• TC ROUTER 3002T-4G ATT
• TC ROUTER 3002T-4G VZW
• TC CLOUD CLIENT 1002-4G
• TC CLOUD CLIENT 1002-4G ATT
• TC CLOUD CLIENT 1002-4G VZW
• CLOUD CLIENT 1101T-TX/TX

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on their recommendations for measures to protect network-capable devices, please refer to this application note “Measures to protect network-capable devices with Ethernet connection”

Phoenix Contact published a security advisory

CERT@VDE published VDE-2023-017

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• September 07, 2023: Initial Publication