PHOENIX CONTACT mGuard

Act Now9.8ICS-CERT ICSA-17-017-01Jan 17, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A remote code execution vulnerability exists in Phoenix Contact mGuard security appliances running firmware version 8.4.0 and later. An unauthenticated attacker can send a crafted network request to trigger arbitrary code execution on the device, compromising the security gateway protecting downstream OT systems. Phoenix Contact has indicated no fix will be provided for this vulnerability.

What this means

What could happen

An unauthenticated attacker on the network can remotely execute arbitrary code on the mGuard security appliance, potentially allowing them to bypass all network security controls and access protected OT systems behind the device.

Who's at risk

Water and electric utilities using Phoenix Contact mGuard security appliances (firmware 8.4.0 or later) as network gateways or firewalls protecting PLCs, RTUs, HMIs, and SCADA systems. This affects any facility relying on mGuard for network segmentation between corporate IT and operational control systems.

How it could be exploited

An attacker sends a specially crafted request over the network to an exposed mGuard device (port 80/443). Because no authentication is required and the vulnerability complexity is low, the attacker can trigger code execution on the appliance without credentials. Once compromised, the attacker gains control of the security gateway protecting your PLCs and SCADA systems.

Prerequisites

Network access to the mGuard device (typically port 80 or 443)
mGuard firmware version 8.4.0 or later installed
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch availableactively used in OT network security

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

mGuard: Only devices that have been updated to8.4.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to mGuard management interfaces using firewall rules; only allow connections from authorized engineering workstations and monitoring systems

HARDENINGMonitor mGuard logs and network traffic for signs of unauthorized access or exploitation attempts

WORKAROUNDContact Phoenix Contact for security guidance; vendor has no fix planned for firmware version 8.4.0

Mitigations - no patch available

0/1

mGuard: Only devices that have been updated to has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the mGuard device behind an additional firewall or DMZ to limit lateral movement if the device is compromised

CVEs (1)

CVE-2017-5159

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d5f04bd2-a43d-4f23-8402-dc0ae6dc0c58