VDE-2022-058

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2022-12-13 07:00 - Updated: 2025-05-14 13:00
Summary
PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities
Notes
Summary: Two vulnerabilities have been discovered in the Expat XML parser library (aka libexpat). This open-source component is widely used in a lot of products worldwide. An attacker could cause a program to crash, use unexpected values or execute code by exploiting these use-after-free vulnerabilities. Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).
Impact: Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack mightbe compromised by attacks exploit these vulnerabilities. Depending on the instantiation and timing of the defect, using previously freed memory might result in a variety of negative effects, from the corruption of valid data to the execution of arbitrary code. In the default installation a vulnerable libexpat is present, but it may have been replaced in the toolchain itself.
Mitigation: We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
Remediation: Update configuration tool chains to libexpat library version 2.4.9. Upgrade to PROFINET SDK 6.7 .
CVE-2022-40674

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Mitigation We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
Vendor Fix Update configuration tool chains to libexpat library version 2.4.9. Upgrade to PROFINET SDK 6.7 .
CVE-2022-43680

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-416 - Use After Free
Mitigation We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
Vendor Fix Update configuration tool chains to libexpat library version 2.4.9. Upgrade to PROFINET SDK 6.7 .
References
Acknowledgments
CERT@VDE
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Two vulnerabilities have been discovered in the Expat XML parser library (aka libexpat). This open-source component is widely used in a lot of products worldwide. An attacker could cause a program to crash, use unexpected values or execute code by exploiting these use-after-free vulnerabilities.\nProfinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack mightbe compromised by attacks exploit these vulnerabilities.\nDepending on the instantiation and timing of the defect, using previously freed memory might result in a variety of negative effects, from the corruption of valid data to the execution of arbitrary code. In the default installation a vulnerable libexpat is present, but it may have been replaced in the toolchain itself.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.\nFor detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Update configuration tool chains to libexpat library version 2.4.9.\nUpgrade to PROFINET SDK 6.7 .",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "PHOENIX CONTACT PSIRT ",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for PHOENIX CONTACT",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-058: PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-058/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-058: PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-058.json"
      }
    ],
    "title": "PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities",
    "tracking": {
      "aliases": [
        "VDE-2022-058"
      ],
      "current_release_date": "2025-05-14T13:00:15.000Z",
      "generator": {
        "date": "2025-04-09T08:01:04.673Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.22"
        }
      },
      "id": "VDE-2022-058",
      "initial_release_date": "2022-12-13T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-12-13T07:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-14T13:00:15.000Z",
          "number": "2",
          "summary": "Fix: added distribution"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=6.6",
                    "product": {
                      "name": "PROFINET SDK \u003c=6.6",
                      "product_id": "CSAFPID-51001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "1175941"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "6.7",
                    "product": {
                      "name": "PROFINET SDK 6.7",
                      "product_id": "CSAFPID-52001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "1175941"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "PROFINET SDK"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-40674",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "description",
          "text": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.\nFor detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
          "product_ids": [
            "CSAFPID-51001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update configuration tool chains to libexpat library version 2.4.9.\nUpgrade to PROFINET SDK 6.7 .",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.1,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.1,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2022-40674"
    },
    {
      "cve": "CVE-2022-43680",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "description",
          "text": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001"
        ],
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.\nFor detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection",
          "product_ids": [
            "CSAFPID-51001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update configuration tool chains to libexpat library version 2.4.9.\nUpgrade to PROFINET SDK 6.7 .",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2022-43680"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.