SB2024053021 - Multiple vulnerabilities in Phoenix Contact CHARX SEC controllers

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-28137)

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to a time-of-check, time-of-use (TOCTOU) race condition within the /etc/init.d/user-applications script. A local user can create a symbolic link to change ownership of arbitrary files and gain elevated privilege on the system.

2) Untrusted search path (CVE-ID: CVE-2024-28133)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an untrusted search path within the charx_set_timezone binary in the CHARX system utility. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.

3) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-28134)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information within the configuration of nginx. A remote attacker with ability to intercept network traffic can gain access to sensitive data and gain web-based management access with the privileges of the currently logged in user.

4) Input validation error (CVE-ID: CVE-2024-28135)

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the handling of the filename parameter to the update2-install endpoint. A remote administrator on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.

5) Input validation error (CVE-ID: CVE-2024-28136)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the charx_pack_logs function within the handling of the Charger ID parameter to the Get Diagnostics command. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.

Remediation

Install update from vendor's website.

References

• https://cert.vde.com/en/advisories/VDE-2024-019
• https://www.zerodayinitiative.com/advisories/ZDI-24-523/
• https://www.zerodayinitiative.com/advisories/ZDI-24-519/
• https://www.zerodayinitiative.com/advisories/ZDI-24-520/
• https://www.zerodayinitiative.com/advisories/ZDI-24-522/