SB2022062220 - Missing Authentication for Critical Function in Phoenix Contact Classic Line Industrial Controllers

Description

This security bulletin contains information about 1 vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2019-9201)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected product does not feature a function to authenticate communication protocols. A remote attacker can change or download the configuration, start or stop services, update or modify the firmware or shut down the device.

Remediation

Install update from vendor's website.

References

• https://medium.com/@SergiuSechel/misconfiguration-in-ilc-gsm-gprs-devices-leaves-over-1-200-ics-devices-vulnerable-to-attacks-over-82c2d4a91561
• https://cert.vde.com/en/advisories/VDE-2019-015/
• https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-05