CVE-2020-12517: PLCnext AXC F 2152 Stored Cross-Site-Scripting (Authenticated)

Patrick Münch
, in 18 December 2020

Overview

Background

From the vendor’s website: “PLCnext Control devices enable you to work flexibly with your preferred programming languages, whether IEC 61131-3 or high-level languages. Unlimited flexibility with the quick and easy integration of open-source software and apps, current and future communication standards, and intelligent networking through connection to the cloud afford maximum freedom for your transition into the digital age.”

About the Vendor

PHOENIX CONTACT immediately took care of the vulnerability and provided appropriate firmware very promptly. This is how we imagine vendors should deal with vulnerabilities.

Thank you at PHOENIX CONTACT!!!

Issue Description

While analyzing the implementation of the PLCnext AXC F 2152 web interface, multiple stored cross-site-scripting (XSS) vulnerabilitues have been identified, which can be exploited by an authenticated, low privileged user to get admin rights, after an admin user visits the vulnerable website.

As an example, the Vulnerabilites were spotted in the following HTTP-Parameters, which were not checked and santized correctly:

/wbm/UserManager.cgi?AddUser
- username
/wbm/TrustStoreManager.cgi?addStore
- TrustStoreName
/wbm/IdentityStoreManager.cgi?generateKeyPair
- IdentityStoreName

CVE

CVE-2020-12517

VDE CERT

NVD

CVSSv3.1 Base Score

CVSS Base Score: 8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Credit

Patrick Muench of SVA System Vertrieb Alexander GmbH

Torsten Loebner of SVA System Vertrieb Alexander GmbH

Pascal Keul of SVA System Vertrieb Alexander GmbH

Maurice Rothe of SVA System Vertrieb Alexander GmbH

Daniel Hackel ofSVA System Vertrieb Alexander GmbH

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2020 SVA System Vertrieb Alexander GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.