Full Report
Successful exploitations of the vulnerabilities could lead to remote execution of arbitrary code
Analysis Summary
# Vulnerability: Multiple Remote Code Execution Flaws in Phoenix Contact Automation Worx
## CVE Details
- **CVE ID:** CVE-2019-12255, CVE-2019-12256, CVE-2019-12257, CVE-2019-12258, CVE-2019-12259, CVE-2019-12260, CVE-2019-12261, CVE-2019-12262, CVE-2019-12263, CVE-2019-12264
- **CVSS Score:** 7.8 (High) [Base Score]
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Phoenix Contact Automation Worx Software Suite
- **Versions:** All versions prior to v1.86
- **Configurations:** Systems where the PC WORX, PC WORX EXPRESS, or Config+ tools are installed and used to process project files.
## Vulnerability Description
The Automation Worx software suite is susceptible to multiple memory corruption vulnerabilities, specifically stack-based buffer overflows. These flaws exist within the parsing logic of project files. An attacker can craft a malicious project file that, when opened by a localized user via the software suite, triggers an out-of-bounds write. This allows for the redirection of the application's execution flow.
## Exploitation
- **Status:** PoC known to exist; no widespread exploitation in the wild reported at time of disclosure.
- **Complexity:** Medium (Requires user interaction to open a malicious file).
- **Attack Vector:** Local (via Social Engineering/Network delivery of a malicious file).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Overall Result:** Remote Code Execution (RCE) in the context of the current user.
## Remediation
### Patches
- **Automation Worx Software Suite v1.86:** Users should upgrade to version 1.86 or later to resolve these vulnerabilities.
- Updates can be found on the Phoenix Contact "Software & Downloads" portal.
### Workarounds
- **Principle of Least Privilege:** Run the software under a non-administrative account to limit the impact of code execution.
- **File Validation:** Do not open project files received from untrusted or unknown sources (email, unverified downloads).
- **Network Isolation:** Ensure engineering workstations are isolated from the internet and untrusted office networks.
## Detection
- **Indicators of Compromise:** Unexpected application crashes (segmentation faults) when opening specific project files.
- **Detection Methods:**
- Use Antivirus/EDR solutions to scan for suspicious project files.
- Monitor for unusual child processes (e.g., cmd.exe or powershell.exe) being spawned by PC WORX executable files.
## References
- **Vendor Advisory:** hxxps[://]www[.]phoenixcontact[.]com/en-pc/support/security-advisories
- **ICS-CERT (CISA):** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-19-171-01
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/06/24/vulnerabilities-in-phoenix-contact-automation-worx-software-suite/