CVE-2021-33542 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-33542?

CVE-2021-33542 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution on Phoenix Contact Classic Automation Worx Software Suite programming workstations. Attackers can manipulate bus configuration files (*.bcp) to trigger memory corruption when unallocated memory is freed. Only application programming workstations running affected software versions are vulnerable; automated systems in operation are not affected.

📋 TL;DR

This vulnerability allows remote code execution on Phoenix Contact Classic Automation Worx Software Suite programming workstations. Attackers can manipulate bus configuration files (*.bcp) to trigger memory corruption when unallocated memory is freed. Only application programming workstations running affected software versions are vulnerable; automated systems in operation are not affected.

💻 Affected Systems

Products:

Phoenix Contact Classic Automation Worx Software Suite

Versions: Version 1.87 and below

Operating Systems: Windows (based on typical industrial automation software deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects application programming workstations, not automated systems in operation. Requires access to original *.bcp files for manipulation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of programming workstation allowing attacker to execute arbitrary code, potentially gaining full control over the system, modifying PLC programs, or establishing persistence in industrial control environments.

🟠

Likely Case

Attacker with access to original configuration files could manipulate them to execute malicious code on programming workstations, potentially compromising project integrity or stealing intellectual property.

🟢

If Mitigated

With proper file integrity monitoring and access controls, exploitation would require bypassing multiple security layers, limiting impact to isolated incidents.

🌐 Internet-Facing: LOW - Exploitation requires access to original configuration files and ability to replace them on the target system, making direct internet exploitation unlikely.

🏢 Internal Only: MEDIUM - Internal attackers with access to configuration files and programming workstations could exploit this vulnerability to compromise critical engineering systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires: 1) Access to original *.bcp configuration files, 2) Ability to manipulate these files, 3) Ability to replace manipulated files on target programming workstation. This multi-step process increases complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version above 1.87

Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2021-020

Restart Required: Yes

Instructions:

1. Download latest version from Phoenix Contact support portal. 2. Backup existing projects and configurations. 3. Uninstall affected version. 4. Install patched version. 5. Restart system. 6. Verify installation and restore backups if needed.

🔧 Temporary Workarounds

Restrict access to configuration files

windows

Implement strict access controls on *.bcp files to prevent unauthorized modification or replacement.

Implement file integrity monitoring

all

Monitor *.bcp files for unauthorized changes using file integrity monitoring solutions.

🧯 If You Can't Patch

Isolate programming workstations on separate network segments with strict access controls
Implement application whitelisting to prevent execution of unauthorized code on affected systems

🔍 How to Verify

Check if Vulnerable:

Check software version in Help > About menu. If version is 1.87 or below, system is vulnerable.

Check Version:

Check via GUI: Help > About in PC Worx or Config+ software

Verify Fix Applied:

Verify installed version is above 1.87 in Help > About menu. Test with known safe *.bcp files to ensure proper functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes when loading *.bcp files
Unauthorized file modifications to *.bcp files
Unusual process execution from PC Worx/Config+ applications

Network Indicators:

Unusual file transfers involving *.bcp files
Network connections from programming workstations to unexpected destinations

SIEM Query:

source="windows-security" EventCode=4688 AND (NewProcessName="*PCWorx*" OR NewProcessName="*Config+*") AND ParentProcessName!="explorer.exe"

📊 Metadata

CVE ID: CVE-2021-33542

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-824

Published: June 25, 2021

Last Updated: November 21, 2024

🔗 References

https://cert.vde.com/en-us/advisories/vde-2021-020 Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-782/ Third Party Advisory,VDB Entry
https://cert.vde.com/en-us/advisories/vde-2021-020 Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-782/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33542, you might also want to check these: