PHOENIX CONTACT: Unauthorized read-access of root filesystem in WP 6xxx Web panels

Vulnerability

The vulnerability exists in PHOENIX CONTACT WP 6xxx series web panels running firmware versions prior to 4.0.10. A remote attacker with low privileges can exploit a configuration dialog within the embedded Qt browser to gain limited read-access to the device filesystem. The affected product line includes WP 6000 and WP 6100 series panels. [1]

Exploitation

An attacker must have network access to the device and possess low-privileged credentials (e.g., a user account with minimal permissions). By interacting with a specific configuration dialog in the embedded Qt browser, the attacker can trigger a path traversal or file read operation that bypasses intended access controls. No additional user interaction is required beyond the attacker's own actions. [1]

Impact

Successful exploitation allows the attacker to read arbitrary files accessible to the 'browser' user on the device filesystem. This can lead to disclosure of sensitive information such as configuration files, credentials, or other data stored on the device. The attack does not grant write access or privilege escalation beyond the 'browser' user's permissions. [1]

Mitigation

Phoenix Contact has released firmware version 4.0.10 to address this vulnerability. Users should update their WP 6xxx series web panels to version 4.0.10 or later. No workarounds are documented in the advisory. The advisory notes that the vendor recommends updating as soon as possible. [1]