PHOENIX CONTACT: Use of Hard-coded Credentials in WP 6xxx Web panels

Vulnerability

In PHOENIX CONTACT WP 6xxx series web panels (versions prior to 4.0.10), hardcoded cryptographic keys are stored on the device. An authenticated remote attacker with admin privileges can read these keys, enabling the creation of session cookies that appear valid. However, according to the CVE description, these crafted session cookies are not sufficient to obtain a valid session on the device. The vulnerability affects all versions before 4.0.10. [1]

Exploitation

An attacker must have authenticated access to the device with admin privileges. The attacker can then read the hardcoded cryptographic keys from the device's filesystem or memory. Using these keys, the attacker can forge session cookies. The advisory notes that the attacker can also read arbitrary files and execute commands, but for this specific CVE, the exploitation step is reading the keys and crafting cookies. [1]

Impact

The attacker can create session cookies, but these cookies are not sufficient to obtain a valid session. Therefore, the direct impact of this vulnerability alone is limited. However, the ability to read hardcoded keys may be combined with other vulnerabilities to achieve further compromise. The advisory lists overall impact including gaining an administrative shell, executing OS commands, reading files, etc., but those are from other CVEs. For this CVE, the impact is the exposure of cryptographic keys and the ability to craft invalid session cookies. [1]

Mitigation

The vendor has released firmware version 4.0.10 which addresses this vulnerability. Users should update to version 4.0.10 or later. No workarounds are mentioned. The advisory does not list this CVE as being in the KEV catalog. [1]