Phoenix Contact ENERGY AXC PU Path Traversal (CVE-2023-1109)

2023-04-2600:00:00

www.tenable.com

phoenix contact energy axc pu

path traversal

vulnerability

authenticated user

file system

web service

web frontend

file access

tenable.ot

cve-2023-1109

EPSS

0.001

Percentile

27.1%

JSON

In Phoenix Contacts ENERGY AXC PU Web service an authenticated restricted user of the web frontend can access, read, write and create files throughout the file system using specially crafted URLs via the upload and download functionality of the web service. This may lead to full control of the service.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501079);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/17");

  script_cve_id("CVE-2023-1109");

  script_name(english:"Phoenix Contact ENERGY AXC PU Path Traversal (CVE-2023-1109)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In Phoenix Contacts ENERGY AXC PU Web service an authenticated
restricted user of the web frontend can access, read, write and create
files throughout the file system using specially crafted URLs via the
upload and download functionality of the web service. This may lead to
full control of the service.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert.vde.com/en/advisories/VDE-2023-003/");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-w923-8w64-f5gh");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-1109");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:phoenixcontact:smartrtu_axc_ig_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:phoenixcontact:smartrtu_axc_sg_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/PhoenixContact");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/PhoenixContact');

var asset = tenable_ot::assets::get(vendor:'PhoenixContact');

var vuln_cpes = {
    "cpe:/o:phoenixcontact:smartrtu_axc_sg_firmware" :
        {"versionEndIncluding" : "01.08.00.02", "versionStartIncluding" : "01.00.00.00", "family" : "AXC"},
    "cpe:/o:phoenixcontact:smartrtu_axc_ig_firmware" :
        {"versionEndIncluding" : "01.02.00.01", "versionStartIncluding" : "01.00.00.00", "family" : "AXC"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);