PHOENIX CONTACT: OS Command Injection in WP 6xxx Web panels

Vulnerability

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10, an authenticated remote attacker can cause arbitrary code execution with root permissions by uploading a specially crafted certificate to the device via an HTTP POST request [1]. The vulnerability lies in the certificate handling functionality accessible to authenticated users.

Exploitation

An attacker needs valid authentication credentials for the web panel. The attacker sends a crafted HTTP POST request containing a maliciously formed certificate file to the device. The improper validation of the certificate data leads to command injection or other code execution within the root context [1].

Impact

Upon successful exploitation, the attacker can execute arbitrary operating system commands with root privileges, compromising the confidentiality, integrity, and availability of the device. This includes gaining an administrative shell, reading arbitrary files, and performing other privileged actions [1].

Mitigation

Phoenix Contact released version 4.0.10 to address this vulnerability. Users should update their WP 6xxx series web panels to version 4.0.10 or later [1]. No workarounds have been disclosed in the available references.