CVE-2023-3570 – This vulnerability allows remote attackers with... (How to Fix)

Q: What is the severity of CVE-2023-3570?

CVE-2023-3570 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers with low-privilege access to PHOENIX CONTACT WP 6xxx series web panels to escalate privileges to full device access via a specific HTTP DELETE request. Organizations using affected web panel versions are at risk of complete device compromise.

📋 TL;DR

This vulnerability allows remote attackers with low-privilege access to PHOENIX CONTACT WP 6xxx series web panels to escalate privileges to full device access via a specific HTTP DELETE request. Organizations using affected web panel versions are at risk of complete device compromise.

💻 Affected Systems

Products:

PHOENIX CONTACT WP 6xxx series web panels

Versions: Versions prior to 4.0.10

Operating Systems: Embedded/Industrial OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have some level of authenticated access (low privileges).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device takeover allowing attacker to modify configurations, disrupt operations, or use device as pivot point into industrial control networks.

🟠

Likely Case

Unauthorized administrative access leading to configuration changes, data theft, or operational disruption.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent low-privilege users from reaching vulnerable endpoints.

🌐 Internet-Facing: HIGH - Web panels exposed to internet are directly exploitable by attackers with any level of access.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts can exploit this to gain full control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses simple HTTP DELETE request. Weaponization likely due to industrial control system impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.10

Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-018/

Restart Required: Yes

Instructions:

1. Download firmware version 4.0.10 from PHOENIX CONTACT portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface. 4. Verify successful update and restore configuration if needed.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to web panel management interface to trusted networks only.

HTTP DELETE Method Blocking

all

Block HTTP DELETE requests at network perimeter or web application firewall.

🧯 If You Can't Patch

Implement strict network segmentation to isolate web panels from untrusted networks.
Remove all non-essential user accounts and enforce strong authentication for remaining accounts.

🔍 How to Verify

Check if Vulnerable:

Check web panel firmware version via web interface or SSH. Versions below 4.0.10 are vulnerable.

Check Version:

Check via web interface: System > Information > Firmware Version

Verify Fix Applied:

Confirm firmware version is 4.0.10 or higher in system information.

📡 Detection & Monitoring

Log Indicators:

HTTP DELETE requests to web panel management endpoints from low-privilege accounts
Unusual privilege escalation events in system logs

Network Indicators:

HTTP DELETE requests to /api/ or similar management endpoints followed by administrative actions

SIEM Query:

source="web_panel_logs" AND method="DELETE" AND (uri="/api/*" OR uri="/admin/*") AND user_role="low_privilege"

📊 Metadata

CVE ID: CVE-2023-3570

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://cert.vde.com/en/advisories/VDE-2023-018/ Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-018/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3570, you might also want to check these: