(Pwn2Own) Phoenix Contact CHARX SEC-3100 MQTT Protocol JSON Parsing Buffer Overflow Remote Code Execution Vulnerability

June 21st, 2024
ZDI-24-862 ZDI-CAN-23304

CVE ID

CVE-2024-26001

CVSS Score

5.0 AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Vendors

Phoenix Contact

Affected Products

CHARX SEC-3100

Vulnerability Details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of JSON-encoded arrays. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the charx-ea user.

Additional Details

Phoenix Contact has issued an update to correct this vulnerability. More details can be found at:
https://cert.vde.com/en/advisories/VDE-2024-011/

Disclosure Timeline

  • 2024-02-02 - Vulnerability reported to vendor
  • 2024-06-21 - Coordinated public release of advisory
  • 2024-08-15 - Advisory Updated

Credit

Midnight Blue / PHP Hooligans

Back to Advisories