CVE-2019-12870

24.06.2019, 16:15

An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Uninitialized Pointer and remote code execution. The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation, the attacker needs to exchange the original file with the manipulated one on the application programming workstation.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Vendor	Product	Version
phoenixcontact	automationworx_software_suite	𝑥 ≤ 1.86

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-824 - Access of Uninitialized Pointer
The program accesses or uses a pointer that has not been initialized.

References

https://cert.vde.com/en-us/advisories/vde-2019-014

https://www.zerodayinitiative.com/advisories/ZDI-19-575/

https://cert.vde.com/en-us/advisories/vde-2019-014

https://www.zerodayinitiative.com/advisories/ZDI-19-575/