CVE-2023-5592 – Phoenix Contact: ProConOs prone to Download of Code Without Integrity Check
https://notcve.org/view.php?id=CVE-2023-5592
Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to download and execute applications without integrity checks on the device which may result in a complete loss of integrity. Vulnerabilidad de descarga de código sin verificación de integridad en PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) permite a un atacante remoto no autenticado descargar y ejecutar aplicaciones sin verificaciones de integridad en el dispositivo, lo que puede resultar en una pérdida total de integridad. • https://cert.vde.com/en/advisories/VDE-2023-054 • CWE-494: Download of Code Without Integrity Check •
CVE-2023-0757 – Phoenix Contact ProConOS prone to Incorrect Permission Assignment for Critical Resource
https://notcve.org/view.php?id=CVE-2023-0757
Incorrect Permission Assignment for Critical Resource vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to upload arbitrary malicious code and gain full access on the affected device. Asignación de permisos incorrecta para una vulnerabilidad de recursos críticos en PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) permite a un atacante remoto no autenticado cargar código malicioso arbitrario y obtener acceso completo al dispositivo afectado. • https://cert.vde.com/en/advisories/VDE-2023-051 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-31801 – Insufficient Verification of Data Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool
https://notcve.org/view.php?id=CVE-2022-31801
An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. Un atacante remoto no autenticado podría cargar lógica maliciosa en los dispositivos basados en ProConOS/ProConOS eCLR para conseguir el control total del dispositivo • https://cert.vde.com/en/advisories/VDE-2022-026 • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2014-9195 – Phoenix Contact ILC 150 ETH PLC - Remote Control Script
https://notcve.org/view.php?id=CVE-2014-9195
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. Phoenix Contact ProConOs y MultiProg no requieren autenticación, lo que permite a atacantes remotos ejecutar comandos arbitrarios a través de trafico conforme con el protocolo. PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. • https://www.exploit-db.com/exploits/37066 https://ics-cert.us-cert.gov/advisories/ICSA-15-013-03 • CWE-255: Credentials Management Errors •