Details of VAR-201910-0993

ID

VAR-201910-0993

CVE

CVE-2019-16675

TITLE

Phoenix Contact Automationworx BCP File Parsing Memory Corruption Remote Code Execution Vulnerability

Trust: 1.4

sources: ZDI: ZDI-19-922 // ZDI: ZDI-19-923

DESCRIPTION

An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Out-of-bounds Read and remote code execution. The attacker needs to get access to an original PC Worx or Config+ project to be able to manipulate data inside. After manipulation, the attacker needs to exchange the original files with the manipulated ones on the application programming workstation. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Phoenix Contact Automationworx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of BCP files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. The Automation Worx Software Suite is an automation package from Phoenix Contact

Trust: 4.32

sources: NVD: CVE-2019-16675 // JVNDB: JVNDB-2019-011621 // ZDI: ZDI-19-922 // ZDI: ZDI-19-923 // ZDI: ZDI-19-991 // CNVD: CNVD-2019-40083 // IVD: 22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f // VULMON: CVE-2019-16675

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f // CNVD: CNVD-2019-40083

AFFECTED PRODUCTS

vendor:	phoenix contact	model:	automationworx	scope:	-	version:	-	Trust: 2.1
vendor:	phoenixcontact	model:	pc worx express	scope:	lte	version:	1.86	Trust: 1.0
vendor:	phoenixcontact	model:	config\+	scope:	lte	version:	1.86	Trust: 1.0
vendor:	phoenixcontact	model:	pc worx	scope:	lte	version:	1.86	Trust: 1.0
vendor:	phoenix contact	model:	config+	scope:	lte	version:	1.86	Trust: 0.8
vendor:	phoenix contact	model:	pc worx	scope:	lte	version:	1.86	Trust: 0.8
vendor:	phoenix contact	model:	pc worx express	scope:	lte	version:	1.86	Trust: 0.8
vendor:	phoenix	model:	contact worx	scope:	lte	version:	<=1.86	Trust: 0.6
vendor:	phoenix	model:	contact worx express	scope:	lte	version:	<=1.86	Trust: 0.6
vendor:	phoenix	model:	contact config+	scope:	lte	version:	<=1.86	Trust: 0.6
vendor:	config	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pc worx	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pc worx express	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f // ZDI: ZDI-19-922 // ZDI: ZDI-19-923 // ZDI: ZDI-19-991 // CNVD: CNVD-2019-40083 // JVNDB: JVNDB-2019-011621 // NVD: CVE-2019-16675

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2019-16675
value:	HIGH
Trust: 2.1
nvd@nist.gov:	CVE-2019-16675
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-16675
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-40083
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1720
value:	HIGH
Trust: 0.6
IVD:	22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f
value:	HIGH
Trust: 0.2
VULMON:	CVE-2019-16675
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16675
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-40083
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

ZDI:	CVE-2019-16675
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 2.1
nvd@nist.gov:	CVE-2019-16675
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-16675
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f // ZDI: ZDI-19-922 // ZDI: ZDI-19-923 // ZDI: ZDI-19-991 // CNVD: CNVD-2019-40083 // VULMON: CVE-2019-16675 // JVNDB: JVNDB-2019-011621 // CNNVD: CNNVD-201910-1720 // NVD: CVE-2019-16675

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.0
problemtype:	CWE-20	Trust: 0.8

sources: JVNDB: JVNDB-2019-011621 // NVD: CVE-2019-16675

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201910-1720

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201910-1720

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011621

PATCH

title:	Phoenix Contact has issued an update to correct this vulnerability.	url:	https://www.us-cert.gov/ics/advisories/icsa-19-302-01	Trust: 2.1
title:	Top Page	url:	https://www.phoenixcontact.com/online/portal/pc	Trust: 0.8

sources: ZDI: ZDI-19-922 // ZDI: ZDI-19-923 // ZDI: ZDI-19-991 // JVNDB: JVNDB-2019-011621

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16675	Trust: 5.4
db:	ICS CERT	id:	ICSA-19-302-01	Trust: 3.1
db:	ZDI	id:	ZDI-19-922	Trust: 2.4
db:	ZDI	id:	ZDI-19-991	Trust: 2.4
db:	ZDI	id:	ZDI-19-923	Trust: 1.3
db:	CNVD	id:	CNVD-2019-40083	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-1720	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011621	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-7782	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-7783	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-8097	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.4007	Trust: 0.6
db:	IVD	id:	22DCAF1B-5AB4-4D7F-AC27-00246D44BA9F	Trust: 0.2
db:	VULMON	id:	CVE-2019-16675	Trust: 0.1

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-302-01	Trust: 5.2
url:	https://www.zerodayinitiative.com/advisories/zdi-19-922/	Trust: 1.7
url:	https://cert.vde.com/en-us/advisories	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-991/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16675	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16675	Trust: 0.8
url:	https://www.zerodayinitiative.com/advisories/zdi-19-923/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4007/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110659	Trust: 0.1

sources: ZDI: ZDI-19-922 // ZDI: ZDI-19-923 // ZDI: ZDI-19-991 // CNVD: CNVD-2019-40083 // VULMON: CVE-2019-16675 // JVNDB: JVNDB-2019-011621 // CNNVD: CNNVD-201910-1720 // NVD: CVE-2019-16675

CREDITS

9sg Security Team

Trust: 1.4

sources: ZDI: ZDI-19-922 // ZDI: ZDI-19-991

SOURCES

db:	IVD	id:	22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f
db:	ZDI	id:	ZDI-19-922
db:	ZDI	id:	ZDI-19-923
db:	ZDI	id:	ZDI-19-991
db:	CNVD	id:	CNVD-2019-40083
db:	VULMON	id:	CVE-2019-16675
db:	JVNDB	id:	JVNDB-2019-011621
db:	CNNVD	id:	CNNVD-201910-1720
db:	NVD	id:	CVE-2019-16675

LAST UPDATE DATE

2024-11-23T22:05:58.228000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-19-922	date:	2019-10-29T00:00:00
db:	ZDI	id:	ZDI-19-923	date:	2019-10-29T00:00:00
db:	ZDI	id:	ZDI-19-991	date:	2019-11-26T00:00:00
db:	CNVD	id:	CNVD-2019-40083	date:	2019-11-12T00:00:00
db:	VULMON	id:	CVE-2019-16675	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-011621	date:	2019-11-14T00:00:00
db:	CNNVD	id:	CNNVD-201910-1720	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-16675	date:	2024-11-21T04:30:57.417

SOURCES RELEASE DATE

db:	IVD	id:	22dcaf1b-5ab4-4d7f-ac27-00246d44ba9f	date:	2019-11-12T00:00:00
db:	ZDI	id:	ZDI-19-922	date:	2019-10-29T00:00:00
db:	ZDI	id:	ZDI-19-923	date:	2019-10-29T00:00:00
db:	ZDI	id:	ZDI-19-991	date:	2019-11-26T00:00:00
db:	CNVD	id:	CNVD-2019-40083	date:	2019-11-12T00:00:00
db:	VULMON	id:	CVE-2019-16675	date:	2019-10-31T00:00:00
db:	JVNDB	id:	JVNDB-2019-011621	date:	2019-11-14T00:00:00
db:	CNNVD	id:	CNNVD-201910-1720	date:	2019-10-29T00:00:00
db:	NVD	id:	CVE-2019-16675	date:	2019-10-31T22:15:10.567