Nozomi Networks Labs has discovered 14 vulnerabilities in the Phoenix Contact Web Panel 6121-WXPS device (firmware version 3.1.7). During our research, we identified that this device is affected by several critical issues that could be exploited by a remote attacker to completely compromise it. The most critical vulnerabilities affect the two main network services (i.e., HTTPS web server and the SNMP protocol) which are exposed by default on the WP 6121-WXPS to execute maintenance operations on the target device (e.g., firmware update).
In response to the issues we found, Phoenix Contact produced a new firmware release (v4.0.10) that addresses all the reported vulnerabilities and asserted that these issues affect not only the 6121-WXPS device but the whole WP6000 product family.
As part 1 of a three-part series, this blog provides an overview of the vulnerabilities we found and their most critical consequences on an ICS infrastructure that uses a vulnerable WP6000 HMI. The following blogs in the series will provide more in-depth technical details on our security research, such as the methodology we used to analyze the target device and exploit the issue we found.
Phoenix Contact HMI Products: Background Information
Phoenix Contact is a leading German equipment manufacturer offering a wide range of products for industrial automation and control systems, including PLCs, industrial PCs and HMI panels. Phoenix Contact’s vendor products are used in various industries, including industrial automation and control systems, industrial communications, and IoT.
The WP 6121-WXPS device manufactured by Phoenix Contact is just one of a range of HMI products inside the WP6000 family. The web panel is an internet accessible HMI touch panel that is used to provide visual representations, control capabilities and situational awareness for monitoring of an automation solution or control system.
Discovered Vulnerabilities
During our research, we identified that the Phoenix Contact WP 6121-WXPS is affected by several critical issues that could be exploited by a remote attacker to completely compromise the device and, consequently, the connected industrial control system.
The vulnerabilities we identified and reported to the vendor affect the following firmware image:
- Filename: wp6000_snmp_complete_v3.1.7.zip
- Version: v3.1.7
- Checksum (SHA256): 9d5448b71a8f26e92d130143f7989e594da6c99d79252350b451525f28d1afec
Below there is the list of 14 vulnerabilities discovered and disclosed by the Nozomi Networks Labs team, in order of risk:
Critical
- CVSS Base score: 9.9
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CVSS Base score: 9.9
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CVSS Base score: 9.9
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CVSS Base score: 9.9
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
High
- CVSS Base score: 8.6
- CWE-862: Missing Authorization
- CVSS Base score: 8.8
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CVSS Base score: 8.2
- CWE-862: Missing Authorization
- CVSS Base score: 7.2
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CVSS Base score: 7.2
- CWE-494: Download of Code Without Integrity Check
- CVSS Base score: 7.2
- CWE-269: Improper Privilege Management
Medium
- CVSS Base score: 4.3
- CWE-610: Externally Controlled Reference to a Resource in Another Sphere
- CVSS Base score: 4.3
- CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Low
- CVSS Base score: 3.8
- CWE-798: Use of Hard-coded Credentials
- CVSS Base score: 3.8
- CWE-798: Use of Hard-coded Credentials
Impacts and Attack Scenarios
The most critical consequences of the vulnerabilities listed above affect the two main network services (i.e., HTTPS web server and the SNMP protocol) which are exposed by default on the WP 6121-WXPS ethernet interface. These services are necessary to execute maintenance operations on the target device such as firmware update through the SNMP protocol.
Even though the exact threat model depends on the final infrastructure of the network where the Phoenix Contact HMI will be placed (i.e., every client can structure it based on its needs), we can assume that the WP 6121-WXPS ethernet interface will be reachable from a local or remote network point so that IT operators can perform daily monitoring tasks from their control center workstation.
If the Phoenix Contact HMI is not properly protected (e.g., firewall in Zone 2 is misconfigured) so that an attacker positioned into the network can view the vulnerable services exposed by the HMI, then it would be possible to exploit the security vulnerabilities described here to gain administrative access on the Phoenix Contact WP 6121-WXPS HMI. As previously mentioned, we discovered that an attacker could exploit the weaknesses on both the HTTPS and the SNMP services to achieve this goal.
To compromise the target device through HTTPS, an attacker can exploit one of the critical issues we reported before (i.e., CVE-2023-3570, CVE-2023-3571, CVE-2023-3572 or CVE-2023-3573). Due to a software defect in the HTTPS web service, it’s possible to force the vulnerable component to run arbitrary commands on the underlying system. Because this application is executed with root privileges, all these actions are executed with administrative rights.
To compromise the target device through SNMP, it’s necessary to exploit and chain the following vulnerabilities:
- CVE-2023-37860: Leveraging a non-authenticated API exposed by the HTTPS web service, it’s possible to retrieve both “read” and “write” community strings that are used by the SNMPv2 protocol as authentication mechanism.
- CVE-2023-37859: We identified that the SNMP service (i.e., Net-SNMP) is executed with root privileges and that the “NET-SNMP-EXTENDED-MIB” extension MIB is loaded. As other researchers have previously identified ([1], [2]), this extension could be abused to execute arbitrary shell scripts through the SNMP agent. Due to this condition, after exploiting the CVE-2023-37860 vulnerability and retrieving the write community string without authentication, an attacker can get an administrative shell on the vulnerable device.
- CVE-2023-37863: This vulnerability is part of our novel findings discovered after reverse engineering the shared library that implements the firmware update process through proprietary MIBs (specifications are in the PXC-WP6K-MIB.mib file attached inside the firmware image). Specifically, we discovered that this functionality is subject to an “OS Command Injection” vulnerability that could be abused to execute arbitrary commands on the system.
Responsible Disclosure Process and Vendor Mitigation
In April 2023, we responsibly disclosed all findings to Phoenix Contact’s Product Security Incident Response Team (PSIRT). Upon receiving our research findings and documentation, they immediately reviewed our advisories and began working on a remediation plan to address the issues.
After reviewing our vulnerabilities, the vendor confirmed that the issues we found also affect the following products:
Table 1. List of Phoenix Contact products and affected firmware version.
In response to our findings, Phoenix Contact developed a new firmware release (v 4.0.10) that addresses all the reported vulnerabilities.
Stay tuned for part 2, where we’ll share more technical details on this research.
