VDE-2022-018

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2022-05-11 14:20 - Updated: 2022-05-11 14:20
Summary
PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices
Notes
Summary: Multiple vulnerabilities have been discovered in the firmware and in libraries utilized of RAD-ISM-900-EN-BD devices: In addition to the above listed CVEs the following issues were identified: Vulnerabilities related to outdated libraries: BusyBox version 0.60.1: A CVE scan revealed 13 potential vulnerabilities. Some of these vulnerabilities impact services used by this device such as NTP and DHCP. OpenSSL version 0.9.7-beta3: This version of OpenSSL uses deprecated ciphers and a CVE scan revealed over 87 potential vulnerabilities. Over-privileged web application: The web application is operated with root privileges. Therefore, if an attacker were able to achieve RCE via the web application they would be executing with the highest level of privileges.
Impact: The abovementioned vulnerabilities allow an attacker to execute arbitrary shell commands and/or upload arbitrary files to the device with root privileges. Some software libraries compiled into the device firmware are outdated and contain known vulnerabilities. Some of those vulnerabilities may be exploitable in the device context whilst others may not have any effect as the specific vulnerable function is not used. These vulnerabilities have not been investigated in detail.
Mitigation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf
Remediation: The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.
CVE-2022-29897
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-20 - Improper Input Validation
Mitigation Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf
Vendor Fix The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.
CVE-2022-29898
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-354 - Improper Validation of Integrity Check Value
Mitigation Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf
Vendor Fix The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.
References
Acknowledgments
CERTVDE certvde.com
DRAGOS Logan Carpenter www.dragos.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Logan Carpenter"
        ],
        "organization": "DRAGOS",
        "summary": "reporting",
        "urls": [
          "https://www.dragos.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple vulnerabilities have been discovered in the firmware and in libraries utilized of RAD-ISM-900-EN-BD devices:\n\nIn addition to the above listed CVEs the following issues were identified:\n\nVulnerabilities related to outdated libraries:\n\nBusyBox version 0.60.1: A CVE scan revealed 13 potential vulnerabilities. Some of these vulnerabilities impact services used by this device such as NTP and DHCP.\nOpenSSL version 0.9.7-beta3: This version of OpenSSL uses deprecated ciphers and a CVE scan revealed over 87 potential vulnerabilities.\nOver-privileged web application:\nThe web application is operated with root privileges. Therefore, if an attacker were able to achieve RCE via the web application they would be executing with the highest level of privileges.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The abovementioned vulnerabilities allow an attacker to execute arbitrary shell commands and/or upload arbitrary files to the device with root privileges.\n\nSome software libraries compiled into the device firmware are outdated and contain known vulnerabilities. Some of those vulnerabilities may be exploitable in the device context whilst others may not have any effect as the specific vulnerable function is not used. These vulnerabilities have not been investigated in detail.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for PHOENIX CONTACT",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-018: PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices - HTML",
        "url": "https://certvde.com/de/advisories/VDE-2020-013/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-018: PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-018.json"
      }
    ],
    "title": "PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices",
    "tracking": {
      "aliases": [
        "VDE-2022-018"
      ],
      "current_release_date": "2022-05-11T14:20:00.000Z",
      "generator": {
        "date": "2025-03-26T12:48:11.294Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.21"
        }
      },
      "id": "VDE-2022-018",
      "initial_release_date": "2022-05-11T14:20:00.000Z",
      "revision_history": [
        {
          "date": "2022-05-11T14:20:00.000Z",
          "number": "1",
          "summary": "initial revision"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RAD-ISM-900-EN-BD",
                "product": {
                  "name": "RAD-ISM-900-EN-BD",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2900016"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "RAD-ISM-900-EN-BD-BUS",
                "product": {
                  "name": "RAD-ISM-900-EN-BD-BUS",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2900017"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "RAD-ISM-900-EN-BD/B",
                "product": {
                  "name": "RAD-ISM-900-EN-BD/B",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2901205"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "Firmware vers:all/*",
                  "product_id": "CSAFPID-21001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ],
        "summary": "affected products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware vers:all/* installed on RAD-ISM-900-EN-BD",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware vers:all/* installed on RAD-ISM-900-EN-BD-BUS",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware vers:all/* installed on RAD-ISM-900-EN-BD/B",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-29897",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the traceroute utility integrated in the WebUI to execute arbitrary code with root privileges on the OS due to an improper input validation in all versions of the firmware."
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.1,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "temporalScore": 9.1,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2022-29897"
    },
    {
      "cve": "CVE-2022-29898",
      "cwe": {
        "id": "CWE-354",
        "name": "Improper Validation of Integrity Check Value"
      },
      "notes": [
        {
          "category": "summary",
          "text": "On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the configuration file uploader in the WebUI to execute arbitrary code with root privileges on the OS due to an improper validation of an integrity check value in all versions of the firmware."
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The family of RAD-ISM-900-EN-BD devices is end of life and will not receive updates anymore. If operation within a secured environment cannot be ensured in the specific customer application, please contact your local PHOENIX CONTACT support to discuss alternative solutions.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.1,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "temporalScore": 9.1,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2022-29898"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.