OTPulse

PHOENIX CONTACT FL SWITCH

Act NowCVSS 9.8ICS-CERT ICSA-19-024-02Jan 24, 2019
Phoenix Contact
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The FL SWITCH 3xxx, 4xxx, and 48xx series contains multiple vulnerabilities in authentication, credential handling, and transport security. Attackers can read user credentials stored on the device (CWE-307), intercept unencrypted management traffic (CWE-319), bypass authorization checks (CWE-352), exploit weak input validation (CWE-119), or trigger denial of service (CWE-400). These vulnerabilities allow unauthenticated remote attackers with network access to compromise the confidentiality and integrity of the switch and potentially gain access to control system credentials or perform man-in-the-middle attacks on management traffic.

What this means
What could happen
An attacker could compromise the FL SWITCH integrity and confidentiality, potentially reading network credentials, intercepting traffic between the switch and management systems, or denying access to critical network infrastructure that connects your PLCs and RTUs to the control network.
Who's at risk
Water authorities and municipal utilities that use Phoenix Contact FL SWITCH 3xxx, 4xxx, or 48xx series managed switches to connect PLCs, RTUs, and field devices to the control network. This affects any facility relying on these switches for network segmentation or VLAN management in the control system.
How it could be exploited
An attacker on the network or with network access to the switch can exploit multiple authentication and transport layer weaknesses to read stored credentials (CWE-307), intercept unencrypted traffic (CWE-319), or craft requests that bypass authorization checks (CWE-352). The CVSS vector indicates no user interaction is required and the attack is low complexity.
Prerequisites
  • Network access to the FL SWITCH management interface (HTTP port 80)
  • No valid credentials required (unauthenticated attack possible)
  • Switch running firmware version 1.35 or earlier
remotely exploitableno authentication requiredlow complexityhigh EPSS score (36.9%)affects network infrastructure that protects safety systemsmultiple attack vectors (credential theft, traffic interception, denial of service)
Exploitability
Likely to be exploited — EPSS score 42.9%
Public Proof-of-Concept (PoC) on GitHub (5 repositories)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
FL SWITCH 3xxx 4xxx and 48xx:< 1.351.35 or higher
AXC F 2152<2.02019.0 LTS
AXC F 2152 (Starterkit)<2.02019.0 LTS
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGEnable HTTP security on all managed FL SWITCH devices
HARDENINGIsolate FL SWITCH management network behind a firewall and restrict access from the business network
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FL SWITCH firmware to version 1.35 or higher from the Phoenix Contact website
HARDENINGIf remote management is required, use a VPN to Phoenix Contact support and verify current VPN software versions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9e3fa685-13d9-44b8-846e-257b540743a9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.