Phoenix Contact Automation Worx <= 1.87: stack-based overflow

Vulnerability

A stack-based buffer overflow vulnerability exists in the parsing of PLCopen XML files in Phoenix Contact PC Worx and PC Worx Express, version 1.87 and earlier [1][2]. When processing the pou element, the software does not validate the length of user-supplied data before copying it to a fixed-length stack-based buffer [1]. The issue is also reachable via the name attribute of a pou element [2]. The vulnerability requires the target to open a malicious project file [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious PC Worx project file containing an overly long value in the pou element or its name attribute [1][2]. The victim must be tricked into opening the crafted file (e.g., via a malicious web page or email attachment). No authentication is required, but user interaction is necessary [1][2]. The process does not properly validate input length, leading to a classic stack-based buffer overflow [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process [1][2]. This could lead to full compromise of the affected workstation, including potential lateral movement into industrial control environments. The CVSS score is 7.8, with high confidentiality, integrity, and availability impacts [1][2].

Mitigation

Phoenix Contact has not released a patch as of the latest advisory (ZDI-21-398, March 2021) [2]. Users should restrict access to PC Worx project files from untrusted sources, avoid opening files from unknown contacts, and apply vendor updates when available [1][2]. No workaround is documented. The known exploited vulnerabilities (KEV) catalog does not list this CVE.