External risk intelligence

Phoenix Contact Devices Allow Sensitive Information Disclosure and System Changes.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2019-9201

Certain Phoenix Contact devices can be accessed remotely, potentially exposing sensitive information or allowing unauthorized system changes. This presents a business risk of data compromise and operational disruption. The impact is confined to affected organizations and their systems.

2Halo Surface Signal

Missing Authentication

Phoenixcontact Ilc 131 Eth Firmware

External exposure likelihood

Halo Surface Signal score for CVE-2019-9201

The affected devices are industrial controllers (PLCs) which are typically deployed within isolated industrial control system (ICS) or OT networks. While they are network-reachable, they are not designed to be exposed directly to the public internet, and such exposure would generally be considered a misconfiguration rather than a standard deployment pattern.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Certain Phoenix Contact devices are susceptible to unauthorized access. This vulnerability allows remote attackers to establish connections and potentially access or modify sensitive information. The impact can include unauthorized data exposure and system alterations.

  • Vulnerable Phoenix Contact devices
  • Flaw permits unauthorized access
  • Potential for data theft or changes

Attack Path

How an attacker could exploit the issue

Multiple Phoenix Contact devices are susceptible to remote attacks due to an exposure in their TCP port 1962. Attackers can establish unauthenticated TCP sessions to this port to gain unauthorized access to sensitive information or modify system configurations. This can be achieved by leveraging features like the 'Create Backup' function to navigate through directories and potentially exfiltrate or alter critical data.

  • Exposure condition: Network access to TCP port 1962.
  • Attacker starting point: Unauthenticated network access.
  • Trigger and result: Using backup feature to access directories.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability permits unauthorized remote access to sensitive information and system modifications on specific industrial control devices. Attackers can exploit this by establishing TCP sessions, potentially disrupting operations or compromising data integrity. Due to the nature of the affected devices and their typical deployment in industrial environments, the direct risk to organizations is considered unlikely.

  • Likely attacker skill level: Low
  • Required access or conditions: Network access to device
  • Business risk or urgency: Unlikely impact

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts multiple Phoenix Contact devices, allowing unauthorized external access to establish TCP sessions. Attackers can leverage this to obtain sensitive information or make unauthorized changes, including using the backup feature to access all directories. The potential for unauthorized information disclosure and system modification presents a significant business risk.

  • Identify exposed devices.
  • Isolate affected systems.
  • Apply vendor fixes and validate.
  • Monitor for related activity.

Frequently asked questions

What are Phoenix Contact ILC devices and their function in industrial automation?

Phoenix Contact ILC devices, such as the ILC 131 ETH and ILC 151 ETH, are industrial controllers, commonly known as Programmable Logic Controllers (PLCs). These devices are integral to industrial automation, enabling the control and monitoring of machinery and operational processes.

What is the nature of the vulnerability in CVE-2019-9201, and what weakness class does it fall under?

CVE-2019-9201 represents a CWE-306 vulnerability, specifically an authentication flaw where the system fails to properly enforce authentication. This deficiency allows remote attackers to establish sessions without valid credentials, leading to unauthorized access.

How can remote attackers exploit CVE-2019-9201 to access sensitive information or alter system configurations?

Remote attackers can exploit CVE-2019-9201 by establishing unauthenticated TCP sessions to port 1962 on the affected Phoenix Contact devices. By leveraging features like the 'Create Backup' function, they can traverse directories to exfiltrate sensitive data or make unauthorized modifications to system settings.

What is the relevance of CVE-2019-9201 to Halo Surface Signal, and how is its impact assessed?

Halo Surface Signal assesses CVE-2019-9201 as 'Unlikely' to be exploited in its target environment. This is because the affected devices are industrial controllers (PLCs) typically deployed within isolated industrial control system (ICS) or Operational Technology (OT) networks, and are not usually exposed directly to the public internet.

What practical steps can be taken to mitigate the risks associated with CVE-2019-9201 on Phoenix Contact devices?

To mitigate risks, organizations should identify any exposed devices, isolate affected systems from broader networks if possible, and apply any available vendor fixes. It is also crucial to validate the implementation of these fixes and maintain vigilance by monitoring for any suspicious activity related to these devices.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified