Image for post
Image for post

Insecure permissions in ILC and AXC controllers leaves over 1,200 ICS devices vulnerable to attacks over the internet

Sergiu Sechel
Feb 3, 2019 · 4 min read

About PCWorx and ILC/AXC controllers

PCWorx is a protocol found in several ICS (industrial control systems)components made by Phoenix Contact. They make a series of inline controllers called ILC. The controllers allow the use of different ICS protocols and the use of common TCP/IP protocols like HTTP, FTP, SNTP, SNMP, SMTP, SQL, MySQL, etc. The ILC controllers are commonly used to transmit information over long distances and they are used in various ICS and SCADA systems, ranging from power plants, utilities, manufacturing etc.

The AXC is a modular small-scale controller for the Axioline I/O system. It is fast, robust, and easy, i.e., it is consistently designed for maximum performance, easy handling, and use in harsh industrial environments.

Is known for some time that PCWorx devices can be interrogated to obtain various information about the firmware version, project name, model type etc. In NMAP the use of the will return the information mentioned above.

Unauthenticated access via port 1962

By using the official software, provided for free by Phoenix Contact, one can interact with the ILC/AXC controllers and perform various actions on them like:

  • change the IP address
  • change the clock settings
  • start/stop the PLC
  • backup the entire configuration of the PLC and the project files to local disk
  • update/modify the firmware
  • enable/disable firmware services
Image for post
Image for post
ILC Controllers — Configuration Software

Downloading project files and configuration settings over FTP

The configuration issue allows an anonymous user to interact using a TCP connection via port 1962 with the ILC/AXC controller without performing any authentication. The upload and download actions are performed via FTP over port 21, without any authentication. Just by accessing the “Create Backup” feature the directory listing of all the projects and related configuration files are streamed over FTP in clear text.

Image for post
Image for post
TCP stream of an ILC directory listing exposed over FTP (Wireshark)

FTP connectivity can be achieved also directly from a browser or an ftp client. By typing in the browser address the directory listing will be displayed.

Image for post
Image for post
FTP directory listing of an ILC controller

From the /webs folder an attacker can download the “WebVisit” project files (if they are available) and inspect them offline to understand the purpose of the infrastructure managed by the controller.

Also a potential directory traversal issue was identified because an attacker can gain access to the root folder.

Image for post
Image for post
Possible directory traversal vulnerability

Attack Surface

The ILC controllers that have this configuration issue are the following:

  • ILC 131 ETH
  • ILC 131 ETH/XC
  • ILC 151 ETH
  • ILC 151 ETH/XC
  • ILC 171 ETH 2TX
  • ILC 191 ETH 2TX
  • ILC 191 ME/AN
  • AXC 1050

At this moment on Shodan were identified more than 1,200 ILC controllers and 66 AXC 1050 controllers that have this vulnerability. Most of them are located in Italy, Germany, the Netherlands, and Turkey.

Image for post
Image for post

Remedy

At this moment I didn’t found anywhere security steps or recommended measures to force an authentication mechanism on ILC/AXC controllers when using port 1962 for interaction with the controllers.

Best practices related to the configuration and deployment of Phoenix Contact products are available at:

How to test if your ILC/AXC controllers are vulnerable

ILC/AXC controllers exposure over public networks like the internet increases the risk of exploitation. Several ILC controllers were configured using private IPv4 addresses (192.168.0.0–192.168.255.255, 172.16.0.0–172.31.255.255, 10.0.0.0–10.255.255.255) but still accessible from the internet using a public IP address. The following tests will identify if ILC/AXC controllers are accessible from the internet.

Using Shodan: By using the . Shodan will display all publicly exposed IP addresses that accept connections on the port 1962 in a given subnet.

Using NMAP: From an external network issue the following command: . NMAP will display the details of all devices that accept connections over port 1962 and are using the PCworx protocol.

It is important to scan the GSM/GPRS public IP addresses of the ILC/AXC controllers and not just the public IP addresses used for normal internet access, to ensure that all exposed controllers are identified.

(CVE-2019–9201) — https://nvd.nist.gov/vuln/detail/CVE-2019-9201

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store