Insecure permissions in ILC and AXC controllers leaves over 1,200 ICS devices vulnerable to attacks over the internet

About PCWorx and ILC/AXC controllers

PCWorx is a protocol found in several ICS (industrial control systems)components made by Phoenix Contact. They make a series of inline controllers called ILC. The controllers allow the use of different ICS protocols and the use of common TCP/IP protocols like HTTP, FTP, SNTP, SNMP, SMTP, SQL, MySQL, etc. The ILC controllers are commonly used to transmit information over long distances and they are used in various ICS and SCADA systems, ranging from power plants, utilities, manufacturing etc.

The AXC is a modular small-scale controller for the Axioline I/O system. It is fast, robust, and easy, i.e., it is consistently designed for maximum performance, easy handling, and use in harsh industrial environments.

Is known for some time that PCWorx devices can be interrogated to obtain various information about the firmware version, project name, model type etc. In NMAP the use of the $ nmap -Pn -sT -p1962 — script pcworx-info <target>” will return the information mentioned above.

Unauthenticated access via port 1962

By using the official software, provided for free by Phoenix Contact, one can interact with the ILC/AXC controllers and perform various actions on them like:

  • change the IP address
  • change the clock settings
  • start/stop the PLC
  • backup the entire configuration of the PLC and the project files to local disk
  • update/modify the firmware
  • enable/disable firmware services
ILC Controllers — Configuration Software

Downloading project files and configuration settings over FTP

The configuration issue allows an anonymous user to interact using a TCP connection via port 1962 with the ILC/AXC controller without performing any authentication. The upload and download actions are performed via FTP over port 21, without any authentication. Just by accessing the “Create Backup” feature the directory listing of all the projects and related configuration files are streamed over FTP in clear text.

TCP stream of an ILC directory listing exposed over FTP (Wireshark)

FTP connectivity can be achieved also directly from a browser or an ftp client. By typing in the browser address ftp://<target ip>/webs the directory listing will be displayed.

FTP directory listing of an ILC controller

From the /webs folder an attacker can download the “WebVisit” project files (if they are available) and inspect them offline to understand the purpose of the infrastructure managed by the controller.

Also a potential directory traversal issue was identified because an attacker can gain access to the root folder.

Possible directory traversal vulnerability

Attack Surface

The ILC controllers that have this configuration issue are the following:

  • ILC 131 ETH
  • ILC 131 ETH/XC
  • ILC 151 ETH
  • ILC 151 ETH/XC
  • ILC 171 ETH 2TX
  • ILC 191 ETH 2TX
  • ILC 191 ME/AN
  • AXC 1050

At this moment on Shodan were identified more than 1,200 ILC controllers and 66 AXC 1050 controllers that have this vulnerability. Most of them are located in Italy, Germany, the Netherlands, and Turkey.

Remedy

At this moment I didn’t found anywhere security steps or recommended measures to force an authentication mechanism on ILC/AXC controllers when using port 1962 for interaction with the controllers.

Best practices related to the configuration and deployment of Phoenix Contact products are available at:

How to test if your ILC/AXC controllers are vulnerable

ILC/AXC controllers exposure over public networks like the internet increases the risk of exploitation. Several ILC controllers were configured using private IPv4 addresses (192.168.0.0–192.168.255.255, 172.16.0.0–172.31.255.255, 10.0.0.0–10.255.255.255) but still accessible from the internet using a public IP address. The following tests will identify if ILC/AXC controllers are accessible from the internet.

Using Shodan: By using the “net:xxx.xxx.xxx.xxx/xx port:1962 firmware”. Shodan will display all publicly exposed IP addresses that accept connections on the port 1962 in a given subnet.

Using NMAP: From an external network issue the following command: nmap -Pn -sT -p1962 — script pcworx-info xxx.xxx.xxx.xxx”. NMAP will display the details of all devices that accept connections over port 1962 and are using the PCworx protocol.

It is important to scan the GSM/GPRS public IP addresses of the ILC/AXC controllers and not just the public IP addresses used for normal internet access, to ensure that all exposed controllers are identified.

(CVE-2019–9201) — https://nvd.nist.gov/vuln/detail/CVE-2019-9201