PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware

Monitor7.5ICS-CERT ICSA-17-250-02Sep 7, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A null pointer dereference vulnerability in Phoenix Contact mGuard firmware versions 8.0.0 through 8.5.1 allows an unauthenticated remote attacker to cause a denial of service by sending a crafted network packet. The affected mGuard devices are network security appliances (firewalls and VPN gateways) deployed in industrial control system environments to protect communications and remote access. When the device crashes, it loses all filtering and encryption functions, disrupting industrial traffic and cutting off remote supervisory access until manual restart. No firmware patch is available; the vulnerability affects 24 product variants across the TC, FL, and DIN-rail mGuard lines.

What this means

What could happen

An attacker can remotely crash these network security devices, causing loss of industrial communication or VPN connectivity and disrupting supervised operations until the device is manually restarted.

Who's at risk

Water authorities and utilities operating Phoenix Contact mGuard industrial firewalls and VPN gateways in their OT networks. These devices are often deployed at the edge of ICS networks to filter traffic between engineering workstations, control systems, and remote access connections. Affected product lines include RS series (RS2000, RS4000, RS4004, RS), FL series (FL-based variants with PCI4000, DELTA, SMART2, and GT models), and TC series devices with 3G/4G cellular VPN capabilities.

How it could be exploited

An attacker can send a crafted network packet to a vulnerable mGuard device from the internet, triggering a null pointer dereference that crashes the firmware and causes immediate denial of service.

Prerequisites

Network access to the mGuard device on its management or monitored network interface
No authentication required
Ability to craft and send network packets to the device

remotely exploitableno authentication requiredlow complexityno patch availableaffects network segmentation controls

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (24)

24 EOL

ProductAffected VersionsFix Status

TC MGUARD RS2000 3G VPN: firmware≥ 8.0.0 | ≤ 8.5.1No fix (EOL)

TC MGUARD RS4000 3G VPN: firmware≥ 8.0.0 | ≤ 8.5.1No fix (EOL)

FL MGUARD PCI4000: firmware≥ 8.0.0 | ≤ 8.5.1No fix (EOL)

FL MGUARD PCI4000 VPN: firmware≥ 8.0.0 | ≤ 8.5.1No fix (EOL)

FL MGUARD RS2005 TX VPN: firmware≥ 8.0.0 | ≤ 8.5.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXDo not run firmware versions 8.0.0 through 8.5.1 on any mGuard device if a newer stable version outside this range is available from Phoenix Contact; contact vendor for long-term update path

WORKAROUNDRestrict network access to mGuard management interfaces using firewall rules; only permit connections from authorized engineering workstations and monitoring systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGPlace mGuard devices on a dedicated industrial network segment isolated from the internet and untrusted networks

HARDENINGMonitor mGuard device uptime and set up alerts for unexpected restarts that may indicate active exploitation

Long-term hardening

0/1

HOTFIXContact Phoenix Contact to inquire about firmware versions outside the 8.0.0–8.5.1 range that may be available or planned as long-term remediation

CVEs (1)

CVE-2013-6466

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/611d4e9f-b6c0-4966-a8ca-6851d1fee6bf