Advisory Details

June 21st, 2024

(Pwn2Own) Phoenix Contact CHARX SEC-3100 MQTT Protocol JSON Parsing Buffer Overflow Remote Code Execution Vulnerability

ZDI-24-862
ZDI-CAN-23304

CVE ID CVE-2024-26001
CVSS SCORE 5.0, AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
AFFECTED VENDORS Phoenix Contact
AFFECTED PRODUCTS CHARX SEC-3100
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of JSON-encoded arrays. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the charx-ea user.

ADDITIONAL DETAILS Phoenix Contact has issued an update to correct this vulnerability. More details can be found at:
https://cert.vde.com/en/advisories/VDE-2024-011/
DISCLOSURE TIMELINE
  • 2024-02-02 - Vulnerability reported to vendor
  • 2024-06-21 - Coordinated public release of advisory
  • 2024-08-15 - Advisory Updated
CREDIT Midnight Blue / PHP Hooligans
BACK TO ADVISORIES