Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource

Vulnerability

The vulnerability, identified as CVE-2023-46141, exists in multiple products of the PHOENIX CONTACT classic line, including controllers and the Automation Worx Software Suite. It stems from an incorrect permission assignment for a critical resource, which allows a remote unauthenticated attacker to gain full access to the affected device. The code path is reachable without any prior authentication or special configuration, as the device does not enforce proper access controls on critical operations. The affected versions are detailed in the vendor advisory [1].

Exploitation

An attacker does not require any local access, user interaction, or prior authentication. The attack can be carried out remotely over a network. As described in the advisory, the exploitation likely involves sending crafted packets or requests to the affected device's exposed services, leveraging the missing permission checks to escalate privileges or bypass access controls [1]. The attacker must be on the same network segment or have network reachability to the device; however, the advisory emphasizes that these controllers are intended for closed industrial networks with perimeter defenses [1].

Impact

Successful exploitation grants the attacker full control over the affected controller. This means the attacker can read, modify, or destroy any data processed by the device, execute arbitrary commands, and potentially pivot to other devices on the network. The confidentiality, integrity, and availability of the device and its associated processes are completely compromised [1]. The advisory notes that connecting engineering tools to the controller should always be in a protected environment, highlighting the severity of unauthenticated access [1].

Mitigation

According to the advisory [1], the vendor recommends operating the classic line controllers only in closed networks or behind a suitable firewall. As a workaround, OT communication protocols should be disabled if the controller cannot be placed in a protected zone; the specific firmware versions supporting this feature are identified in the application note for classic line controllers or the device manual. No fixed firmware version or patch is mentioned in the available references as of the publication date. Users should follow the measures outlined in the advisory to protect devices based on classic control technology [1].