CVE-2017-16723 in FL Comserver
Summary
by MITRE
A Cross-site Scripting issue was discovered in PHOENIX CONTACT FL COMSERVER BASIC 232/422/485, FL COMSERVER UNI 232/422/485, FL COMSERVER BAS 232/422/485-T, FL COMSERVER UNI 232/422/485-T, FL COM SERVER RS232, FL COM SERVER RS485, and PSI-MODEM/ETH (running firmware versions prior to 1.99, 2.20, or 2.40). The cross-site scripting vulnerability has been identified, which may allow remote code execution.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/13/2019
The vulnerability identified in CVE-2017-16723 represents a critical cross-site scripting flaw affecting multiple PHOENIX CONTACT industrial communication server models including FL COMSERVER BASIC 232/422/485, FL COMSERVER UNI 232/422/485, FL COMSERVER BAS 232/422/485-T, FL COMSERVER UNI 232/422/485-T, FL COM SERVER RS232, FL COM SERVER RS485, and PSI-MODEM/ETH devices. This vulnerability exists in firmware versions prior to 1.99, 2.20, and 2.40 respectively, indicating a widespread issue across various industrial communication products that serve as critical network interfaces for industrial automation systems. The flaw manifests as an insufficient input validation mechanism that fails to properly sanitize user-supplied data before processing or displaying it within web-based administrative interfaces.
The technical implementation of this vulnerability stems from inadequate sanitization of input parameters within the web server components of these industrial devices, creating an environment where malicious actors can inject malicious scripts into web pages viewed by other users. This XSS vulnerability operates at the application layer and specifically targets the web-based management interfaces of these communication servers, which are commonly accessed through web browsers for configuration and monitoring purposes. The flaw allows attackers to execute arbitrary code within the context of the victim's browser session, potentially enabling full compromise of the administrative interface and subsequent control over the industrial communication infrastructure. According to CWE-79, this vulnerability maps directly to the classic cross-site scripting weakness where untrusted data is improperly incorporated into web page content without adequate validation or encoding.
The operational impact of this vulnerability extends beyond typical web application security concerns due to the industrial nature of these devices, which often serve as critical communication bridges between operational technology (OT) systems and enterprise networks. When exploited, this vulnerability could enable attackers to gain unauthorized administrative access to industrial communication servers, potentially allowing them to modify communication parameters, redirect data flows, or even disrupt critical industrial processes. The remote code execution capability presents a significant risk to industrial control systems where these devices may be deployed in critical infrastructure environments including manufacturing plants, power generation facilities, and other industrial settings where system integrity and availability are paramount. The vulnerability's presence in multiple product lines suggests that organizations may face widespread exposure across their industrial communication infrastructure, potentially affecting numerous interconnected systems.
Organizations should immediately implement firmware updates to versions 1.99, 2.20, or 2.40 depending on the specific device model to remediate this vulnerability. Network segmentation strategies should be implemented to isolate these industrial communication devices from general enterprise networks, reducing the attack surface for potential exploitation. Access controls should be strengthened through the implementation of multi-factor authentication for administrative interfaces and regular monitoring of web server access logs for suspicious activity. According to ATT&CK framework, this vulnerability falls under T1190 - Exploit Public-Facing Application, and organizations should consider implementing network-based intrusion detection systems to monitor for exploitation attempts. Additionally, security awareness training for industrial control system operators should emphasize the importance of keeping firmware updated and recognizing potential indicators of compromise in industrial communication infrastructure.