Multiple vulnerabilities in Phoenix Contact CHARX SEC controllers
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2024-28137 CVE-2024-28133 CVE-2024-28134 CVE-2024-28135 CVE-2024-28136 |
| CWE-ID | CWE-367 CWE-426 CWE-319 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
CHARX SEC-3000 Hardware solutions / Firmware CHARX SEC-3050 Hardware solutions / Firmware CHARX SEC-3100 Hardware solutions / Firmware CHARX SEC-3150 Hardware solutions / Firmware |
| Vendor | Phoenix Contact GmbH |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU89907
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28137
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the target system.
The vulnerability exists due to a time-of-check, time-of-use (TOCTOU) race condition within the /etc/init.d/user-applications script. A local user can create a symbolic link to change ownership of arbitrary files and gain elevated privilege on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCHARX SEC-3000: 1.5.1
CHARX SEC-3050: 1.5.1
CHARX SEC-3100: 1.5.1
CHARX SEC-3150: 1.5.1
CPE2.3- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:1.5.1:*:*:*:*:*:*:*
https://cert.vde.com/en/advisories/VDE-2024-019
https://www.zerodayinitiative.com/advisories/ZDI-24-523/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Untrusted search path
EUVDB-ID: #VU89911
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28133
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of an untrusted search path within the charx_set_timezone binary in the CHARX system utility. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCHARX SEC-3000: 1.5.1
CHARX SEC-3050: 1.5.1
CHARX SEC-3100: 1.5.1
CHARX SEC-3150: 1.5.1
CPE2.3- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:1.5.1:*:*:*:*:*:*:*
https://cert.vde.com/en/advisories/VDE-2024-019
https://www.zerodayinitiative.com/advisories/ZDI-24-519/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cleartext transmission of sensitive information
EUVDB-ID: #VU89910
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-28134
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information within the configuration of nginx. A remote attacker with ability to intercept network traffic can gain access to sensitive data and gain web-based management access with the privileges of the currently logged in user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCHARX SEC-3000: 1.5.1
CHARX SEC-3050: 1.5.1
CHARX SEC-3100: 1.5.1
CHARX SEC-3150: 1.5.1
CPE2.3- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:1.5.1:*:*:*:*:*:*:*
https://cert.vde.com/en/advisories/VDE-2024-019
https://www.zerodayinitiative.com/advisories/ZDI-24-520/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU89909
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28135
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to insufficient validation of user-supplied input within the handling of the filename parameter to the update2-install endpoint. A remote administrator on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCHARX SEC-3000: 1.5.1
CHARX SEC-3050: 1.5.1
CHARX SEC-3100: 1.5.1
CHARX SEC-3150: 1.5.1
CPE2.3- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:1.5.1:*:*:*:*:*:*:*
https://cert.vde.com/en/advisories/VDE-2024-019
https://www.zerodayinitiative.com/advisories/ZDI-24-522/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU89908
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-28136
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the charx_pack_logs function within the handling of the Charger ID parameter to the Get Diagnostics command. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCHARX SEC-3000: 1.5.1
CHARX SEC-3050: 1.5.1
CHARX SEC-3100: 1.5.1
CHARX SEC-3150: 1.5.1
CPE2.3- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3000:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3050:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3100:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:*:*:*:*:*:*:*:*
- cpe:2.3:h:phoenix_contact_gmbh:charx_sec-3150:1.5.1:*:*:*:*:*:*:*
https://cert.vde.com/en/advisories/VDE-2024-019
https://www.zerodayinitiative.com/advisories/ZDI-24-522/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
