CVE-2019-12869

Vulnerability

The vulnerability exists in the parsing of BCP files within Phoenix Contact Automationworx products, specifically PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. The issue results from a lack of proper validation of user-supplied data, which can cause a read past the end of an allocated buffer [1].

Exploitation

An attacker must first obtain an original PC Worx or Config+ project file, then manipulate it to trigger the out-of-bounds read. The attacker then needs to exchange the original file with the manipulated one on the application programming workstation. User interaction is required: the target must open the malicious file or visit a malicious page [1].

Impact

Successful exploitation leads to information disclosure via the out-of-bounds read. The advisory notes that an attacker can leverage this vulnerability in conjunction with other vulnerabilities to execute code in the context of the current process [1]. The CVSS score is 3.3 (low severity) for the information disclosure aspect.

Mitigation

As of the publication date (2019-06-24), no patch is mentioned in the available references. Users should ensure they only open project files from trusted sources and verify file integrity. The vendor may have released updates after the advisory; consult Phoenix Contact's security advisories for the latest fixed versions.