{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "tracking": { "generator": { "date": "2025-04-09T08:01:04.673Z", "engine": { "version": "2.5.22", "name": "Secvisogram" } }, "current_release_date": "2025-05-14T13:00:15.000Z", "id": "VDE-2022-058", "initial_release_date": "2022-12-13T07:00:00.000Z", "version": "2", "status": "final", "revision_history": [ { "number": "1", "date": "2022-12-13T07:00:00.000Z", "summary": "Initial revision." }, { "number": "2", "summary": "Fix: added distribution", "date": "2025-05-14T13:00:15.000Z" } ], "aliases": [ "VDE-2022-058" ] }, "title": "PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities", "lang": "en-GB", "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination" } ], "notes": [ { "category": "summary", "text": "Two vulnerabilities have been discovered in the Expat XML parser library (aka libexpat). This open-source component is widely used in a lot of products worldwide. An attacker could cause a program to crash, use unexpected values or execute code by exploiting these use-after-free vulnerabilities.\nProfinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).", "title": "Summary" }, { "category": "description", "text": "Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack mightbe compromised by attacks exploit these vulnerabilities.\nDepending on the instantiation and timing of the defect, using previously freed memory might result in a variety of negative effects, from the corruption of valid data to the execution of arbitrary code. In the default installation a vulnerable libexpat is present, but it may have been replaced in the toolchain itself.", "title": "Impact" }, { "category": "description", "text": "We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.\nFor detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection", "title": "Mitigation" }, { "category": "description", "text": "Update configuration tool chains to libexpat library version 2.4.9.\nUpgrade to PROFINET SDK 6.7 .", "title": "Remediation" } ], "publisher": { "contact_details": "psirt@phoenixcontact.com", "category": "vendor", "name": "Phoenix Contact GmbH & Co. KG", "namespace": "https://phoenixcontact.com/psirt" }, "references": [ { "summary": "PHOENIX CONTACT PSIRT ", "url": "https://phoenixcontact.com/psirt", "category": "external" }, { "summary": "CERT@VDE Security Advisories for PHOENIX CONTACT", "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/", "category": "external" }, { "summary": "VDE-2022-058: PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities - HTML", "url": "https://certvde.com/en/advisories/VDE-2022-058/", "category": "self" }, { "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-058.json", "summary": "VDE-2022-058: PHOENIX CONTACT: Profinet SDK libexpat vulnerabilities - CSAF", "category": "self" } ], "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } } }, "product_tree": { "branches": [ { "name": "Phoenix Contact", "category": "vendor", "branches": [ { "name": "Software", "category": "product_family", "branches": [ { "name": "PROFINET SDK", "category": "product_name", "branches": [ { "name": "<=6.6", "category": "product_version_range", "product": { "name": "PROFINET SDK <=6.6", "product_id": "CSAFPID-51001", "product_identification_helper": { "model_numbers": [ "1175941" ] } } }, { "name": "6.7", "category": "product_version", "product": { "name": "PROFINET SDK 6.7", "product_id": "CSAFPID-52001", "product_identification_helper": { "model_numbers": [ "1175941" ] } } } ] } ] } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2022-40674", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-52001" ], "known_affected": [ "CSAFPID-51001" ] }, "remediations": [ { "category": "mitigation", "details": "We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.\nFor detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection", "product_ids": [ "CSAFPID-51001" ] }, { "category": "vendor_fix", "details": "Update configuration tool chains to libexpat library version 2.4.9.\nUpgrade to PROFINET SDK 6.7 .", "product_ids": [ "CSAFPID-51001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 8.1, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 8.1, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-51001" ] } ], "title": "CVE-2022-40674" }, { "cve": "CVE-2022-43680", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-52001" ], "known_affected": [ "CSAFPID-51001" ] }, "remediations": [ { "category": "mitigation", "details": "We strongly recommend customers to ensure that only data from reliable sources is used. Affected customers should also check if vulnerable libexpat library versions are used in the specific configuration tool chain.\nFor detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:\nMeasures to protect network-capable devices with Ethernet connection", "product_ids": [ "CSAFPID-51001" ] }, { "category": "vendor_fix", "details": "Update configuration tool chains to libexpat library version 2.4.9.\nUpgrade to PROFINET SDK 6.7 .", "product_ids": [ "CSAFPID-51001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CSAFPID-51001" ] } ], "title": "CVE-2022-43680" } ] }