VDE-2020-047

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2020-12-02 09:00 - Updated: 2025-05-14 12:28
Summary
PHOENIX CONTACT: BTP Touch Panels uncontrolled resource consumption
Notes
Summary: Uncontrolled Resource Consumption can be exploited to cause the HMI to become unresponsive and not accurately update the display content (Denial of Service).
Impact: When the HMI is subjected to i.e. a rapid flood of ICMP ping packets, the HMI stops responding to user input and the running program provides no visual changes. Once the attack stops, the HMI will return to normal functionality.
Mitigation: Mitigation Phoenix Contact recommends operating network-capable devices in closed networks orprotected with a suitable firewall. For detailed information on the recommendations for measuresto protect network-capable devices, please refer to the Phoenix Contact application note: Measures to protect network-capable devices with Ethernet connection
CVE-2020-12524

Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-400 - Uncontrolled Resource Consumption
Vendor Fix Mitigation Phoenix Contact recommends operating network-capable devices in closed networks orprotected with a suitable firewall. For detailed information on the recommendations for measuresto protect network-capable devices, please refer to the Phoenix Contact application note: Measures to protect network-capable devices with Ethernet connection
References
Acknowledgments
CERT@VDE
University of Birmingham Richard Thomas Tom Chothia
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      },
      {
        "names": [
          "Richard Thomas",
          "Tom Chothia"
        ],
        "organization": "University of Birmingham",
        "summary": "discovered"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Uncontrolled Resource Consumption can be exploited to cause the HMI to become unresponsive and not accurately update the display content (Denial of Service).",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "When the HMI is subjected to i.e. a rapid flood of ICMP ping packets, the HMI stops responding to user input and the running program provides no visual changes. Once the attack stops, the HMI will return to normal functionality.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Mitigation Phoenix Contact recommends operating network-capable devices in closed networks orprotected with a suitable firewall. For detailed information on the recommendations for measuresto protect network-capable devices, please refer to the Phoenix Contact application note: Measures to protect network-capable devices with Ethernet connection",
        "title": "Mitigation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "Phoenix Contact PSIRT ",
        "url": "https://www.phoenixcontact.com/de-de/service-und-support/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Phoenix Contact GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact"
      },
      {
        "category": "self",
        "summary": "VDE-2020-047: PHOENIX CONTACT: BTP Touch Panels uncontrolled resource consumption - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2020-047/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-047: PHOENIX CONTACT: BTP Touch Panels uncontrolled resource consumption - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-047.json"
      }
    ],
    "title": "PHOENIX CONTACT: BTP Touch Panels uncontrolled resource consumption",
    "tracking": {
      "aliases": [
        "VDE-2020-047"
      ],
      "current_release_date": "2025-05-14T12:28:19.000Z",
      "generator": {
        "date": "2020-12-02T09:00:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.11"
        }
      },
      "id": "VDE-2020-047",
      "initial_release_date": "2020-12-02T09:00:00.000Z",
      "revision_history": [
        {
          "date": "2020-12-02T09:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-14T12:28:19.000Z",
          "number": "2",
          "summary": "Fix: removed ia, added distribution"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "vers:all/*",
                  "product_id": "CSAFPID-21001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "BTP 2043W",
                "product": {
                  "name": "BTP 2043W",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1050387"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "BTP 2070W",
                "product": {
                  "name": "BTP 2070W",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1046666"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "BTP 2102W",
                "product": {
                  "name": "BTP 2102W",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1046667"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ],
        "summary": "Affected products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware  all versions installed on BTP 2043W",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware  all versions installed on BTP 2070W",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware  all versions installed on BTP 2102W",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12524",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Mitigation Phoenix Contact recommends operating network-capable devices in closed networks orprotected with a suitable firewall. For detailed information on the recommendations for measuresto protect network-capable devices, please refer to the Phoenix Contact application note: Measures to protect network-capable devices with Ethernet connection",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2020-12524"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.