PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware

Plan PatchCVSS 7.5ICS-CERT ICSA-17-250-02Mar 7, 2017

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A null pointer dereference vulnerability in Phoenix Contact mGuard firmware versions 8.0.0 through 8.5.1 allows an unauthenticated remote attacker to cause a denial of service by sending a crafted network packet. The affected mGuard devices are network security appliances (firewalls and VPN gateways) deployed in industrial control system environments to protect communications and remote access. When the device crashes, it loses all filtering and encryption functions, disrupting industrial traffic and cutting off remote supervisory access until manual restart. No firmware patch is available; the vulnerability affects 24 product variants across the TC, FL, and DIN-rail mGuard lines.

What this means

What could happen

An attacker can remotely crash these network security devices, causing loss of industrial communication or VPN connectivity and disrupting supervised operations until the device is manually restarted.

Who's at risk

Water authorities and utilities operating Phoenix Contact mGuard industrial firewalls and VPN gateways in their OT networks. These devices are often deployed at the edge of ICS networks to filter traffic between engineering workstations, control systems, and remote access connections. Affected product lines include RS series (RS2000, RS4000, RS4004, RS), FL series (FL-based variants with PCI4000, DELTA, SMART2, and GT models), and TC series devices with 3G/4G cellular VPN capabilities.

How it could be exploited

An attacker can send a crafted network packet to a vulnerable mGuard device from the internet, triggering a null pointer dereference that crashes the firmware and causes immediate denial of service.

Prerequisites

Network access to the mGuard device on its management or monitored network interface
No authentication required
Ability to craft and send network packets to the device

remotely exploitableno authentication requiredlow complexityno patch availableaffects network segmentation controls

Exploitability

Some exploitation risk — EPSS score 1.0%

Affected products (48)

24 with fix24 EOL

ProductAffected VersionsFix Status

Hardware mGuard FL MGUARD CENTERPORT8.0.0≤ 8.5.18.5.2

Hardware mGuard FL MGUARD DELTA TX/TX8.0.0≤ 8.5.18.5.2

Hardware mGuard FL MGUARD DELTA TX/TX VPN8.0.0≤ 8.5.18.5.2

Hardware mGuard FL MGUARD GT/GT8.0.0≤ 8.5.18.5.2

Hardware mGuard FL MGUARD GT/GT VPN8.0.0≤ 8.5.18.5.2

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXDo not run firmware versions 8.0.0 through 8.5.1 on any mGuard device if a newer stable version outside this range is available from Phoenix Contact; contact vendor for long-term update path

WORKAROUNDRestrict network access to mGuard management interfaces using firewall rules; only permit connections from authorized engineering workstations and monitoring systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGPlace mGuard devices on a dedicated industrial network segment isolated from the internet and untrusted networks

HARDENINGMonitor mGuard device uptime and set up alerts for unexpected restarts that may indicate active exploitation

Long-term hardening

0/1

HOTFIXContact Phoenix Contact to inquire about firmware versions outside the 8.0.0–8.5.1 range that may be available or planned as long-term remediation

CVEs (1)

CVE-2013-6466

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/611d4e9f-b6c0-4966-a8ca-6851d1fee6bf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.