CVE-2019-9201
📋 TL;DR
CVE-2019-9201 is a critical authentication bypass vulnerability in Phoenix Contact industrial control devices that allows unauthenticated remote attackers to access TCP port 1962 and perform sensitive operations like creating backups, reading files, and modifying configurations. This affects Phoenix Contact ILC GSM/GPRS devices and potentially other industrial control systems, leaving over 1,200 ICS devices vulnerable to remote attacks.
💻 Affected Systems
- Phoenix Contact ILC GSM/GPRS devices
- Other Phoenix Contact industrial control devices
📦 What is this software?
Axc 1050 Firmware by Phoenixcontact
Ilc 131 Eth Firmware by Phoenixcontact
Ilc 131 Eth\/xc Firmware by Phoenixcontact
Ilc 151 Eth Firmware by Phoenixcontact
Ilc 151 Eth\/xc Firmware by Phoenixcontact
Ilc 171 Eth 2tx Firmware by Phoenixcontact
Ilc 191 Eth 2tx Firmware by Phoenixcontact
Ilc 191 Me\/an Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems allowing attackers to modify configurations, steal sensitive data, disrupt operations, or cause physical damage to industrial processes.
Likely Case
Unauthorized access to device configurations, backup theft, potential modification of device settings leading to operational disruption.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to vulnerable devices.
🎯 Exploit Status
Exploitation requires only network access to port 1962. The Create Backup feature can be abused for directory traversal and file access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vendor-specific firmware updates
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2019-015/
Restart Required: Yes
Instructions:
1. Contact Phoenix Contact for specific firmware updates for affected devices. 2. Apply firmware patches according to vendor instructions. 3. Restart devices after patching. 4. Verify patch effectiveness.
🔧 Temporary Workarounds
Network Access Control
allBlock external access to port 1962/TCP using firewalls
iptables -A INPUT -p tcp --dport 1962 -j DROP
netsh advfirewall firewall add rule name="Block_Phoenix_Port_1962" dir=in action=block protocol=TCP localport=1962
Network Segmentation
allIsolate vulnerable devices in separate network segments
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable devices from untrusted networks
- Deploy intrusion detection systems to monitor for unauthorized access attempts on port 1962
🔍 How to Verify
Check if Vulnerable:
Test if port 1962/TCP is accessible and responds to connection attempts. Use nmap: nmap -p 1962 <target_ip>Check Version:
Check device firmware version through web interface or vendor-specific management toolsVerify Fix Applied:
Verify port 1962 is no longer accessible or requires authentication. Check firmware version against vendor patched versions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to port 1962
- Backup creation events from unexpected sources
- File access patterns indicating directory traversal
Network Indicators:
- TCP connections to port 1962 from unauthorized sources
- Unusual traffic patterns to industrial control devices
SIEM Query:
source_port=1962 OR dest_port=1962 AND (action=deny OR status=failure)🔗 References
- https://cert.vde.com/en/advisories/VDE-2019-015/
- https://medium.com/%40SergiuSechel/misconfiguration-in-ilc-gsm-gprs-devices-leaves-over-1-200-ics-devices-vulnerable-to-attacks-over-82c2d4a91561
- https://cert.vde.com/en/advisories/VDE-2019-015/
- https://medium.com/%40SergiuSechel/misconfiguration-in-ilc-gsm-gprs-devices-leaves-over-1-200-ics-devices-vulnerable-to-attacks-over-82c2d4a91561
