PHOENIX CONTACT PLCNext AXC F 2152 Improper Access Control (CVE-2019-10998)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500770);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2019-10998");

  script_name(english:"PHOENIX CONTACT PLCNext AXC F 2152 Improper Access Control (CVE-2019-10998)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An issue was discovered on Phoenix Contact AXC F 2152 (No.2404267)
before 2019.0 LTS and AXC F 2152 STARTERKIT (No.1046568) before 2019.0
LTS devices. Unlimited physical access to the PLC may lead to a
manipulation of SD cards data. SD card manipulation may lead to an
authentication bypass opportunity.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://dam-mdc.phoenixcontact.com/asset/156443151564/fa7be4d04c301f18c6cc0e0872193a42/Security_Advisory_AXC_F_2152_FW.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8aca257");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-19-155-01");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Phoenix Contact recommends affected users update to firmware release 2019.0 LTS or later, update to PLCNext Engineer
release 2019.0 LTS or later, and apply the following specific mitigations below:

- Disable Basic128Rsa15 security policy in OPC Servers configuration. Use only Basic256 or higher.
- Follow the advice concerning SD card usage in the manual “Art.-Nr. 107708: UM EN AXC F 2152 Installing, starting up,
and operating the AXC F 2152 controller um_en_axc_f_2152_107708_en_02.pdf” that can be found on the product page below:
- https://www.phoenixcontact.com/online/portal/us/?uri=pxc-oc-
itemdetail:pid=2404267&library=usen&pcck=P-21-14-01&tab=1&selectedCategory=ALL
- Use the notification manager to monitor SD card exchanges by the application program.
- Subscribe to PSIRT news as updates on the SD card vulnerability will be provided in the future.

Phoenix Contact also recommends users operate the devices in closed networks or environments protected with a suitable
firewall. For detailed information on recommendations for measures to protect network-capable devices, please refer to
the Phoenix Contact application note “Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY - Measures to protect network-capable
devices with Ethernet connection against unauthorized access,” which can be found at the following link:

https://www.phoenixcontact.com/assets/downloads_ed/local_pc/web_dwl_technical_info/ah_en_industrial_security_107913_en_0
1.pdf

For more information, CERT@VDE has released a security advisory available at the following link:

https://cert.vde.com/en-us/advisories/vde-2019-009");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10998");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(287);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:phoenixcontact:axc_f_2152_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:phoenixcontact:axc_f_2152_starterkit_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/PhoenixContact");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/PhoenixContact');

var asset = tenable_ot::assets::get(vendor:'PhoenixContact');

var vuln_cpes = {
    "cpe:/o:phoenixcontact:axc_f_2152_firmware" :
        {"versionStartIncluding" : "1.0", "versionEndExcluding" : "2.0", "family" : "AXC"},
    "cpe:/o:phoenixcontact:axc_f_2152_starterkit_firmware" :
        {"versionStartIncluding" : "1.0", "versionEndExcluding" : "2.0", "family" : "AXC"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);