CVE-2020-12517: PLCnext AXC F 2152 Improper Privilege Management

Patrick Münch
, in 18 December 2020

Overview

Background

From the vendor’s website: “PLCnext Control devices enable you to work flexibly with your preferred programming languages, whether IEC 61131-3 or high-level languages. Unlimited flexibility with the quick and easy integration of open-source software and apps, current and future communication standards, and intelligent networking through connection to the cloud afford maximum freedom for your transition into the digital age.”

About the Vendor

PHOENIX CONTACT immediately took care of the vulnerability and provided appropriate firmware very promptly. This is how we imagine vendors should deal with vulnerabilities.

Thank you at PHOENIX CONTACT!!!

Issue Description

While analyzing the implementation of PLCnext it was possible to use a privilege escalation to gain root access to the PLCnext. The PLCnext firmware user is not allowed to login but is allowed to execute the date and tcpdump command with root privileges on the linux shell. This user can use such commands without entering a password.

CVE

CVE-2020-12519

VDE CERT

NVD

CVSSv3.1 Base Score

CVSS Base Score: 8.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Credit

Patrick Muench of SVA System Vertrieb Alexander GmbH

Torsten Loebner of SVA System Vertrieb Alexander GmbH

Pascal Keul of SVA System Vertrieb Alexander GmbH

Maurice Rothe of SVA System Vertrieb Alexander GmbH

Daniel Hackel ofSVA System Vertrieb Alexander GmbH

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2020 SVA System Vertrieb Alexander GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.