PHOENIX CONTACT FL SWITCH

Act Now8.8ICS-CERT ICSA-19-024-02Jan 24, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The FL SWITCH 3xxx, 4xxx, and 48xx series contains multiple vulnerabilities in authentication, credential handling, and transport security. Attackers can read user credentials stored on the device (CWE-307), intercept unencrypted management traffic (CWE-319), bypass authorization checks (CWE-352), exploit weak input validation (CWE-119), or trigger denial of service (CWE-400). These vulnerabilities allow unauthenticated remote attackers with network access to compromise the confidentiality and integrity of the switch and potentially gain access to control system credentials or perform man-in-the-middle attacks on management traffic.

What this means

What could happen

An attacker could compromise the FL SWITCH integrity and confidentiality, potentially reading network credentials, intercepting traffic between the switch and management systems, or denying access to critical network infrastructure that connects your PLCs and RTUs to the control network.

Who's at risk

Water authorities and municipal utilities that use Phoenix Contact FL SWITCH 3xxx, 4xxx, or 48xx series managed switches to connect PLCs, RTUs, and field devices to the control network. This affects any facility relying on these switches for network segmentation or VLAN management in the control system.

How it could be exploited

An attacker on the network or with network access to the switch can exploit multiple authentication and transport layer weaknesses to read stored credentials (CWE-307), intercept unencrypted traffic (CWE-319), or craft requests that bypass authorization checks (CWE-352). The CVSS vector indicates no user interaction is required and the attack is low complexity.

Prerequisites

Network access to the FL SWITCH management interface (HTTP port 80)
No valid credentials required (unauthenticated attack possible)
Switch running firmware version 1.35 or earlier

remotely exploitableno authentication requiredlow complexityhigh EPSS score (36.9%)affects network infrastructure that protects safety systemsmultiple attack vectors (credential theft, traffic interception, denial of service)

Exploitability

High exploit probability (EPSS 36.9%)

Affected products (1)

ProductAffected VersionsFix Status

FL SWITCH 3xxx 4xxx and 48xx:< 1.351.35 or higher

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnable HTTP security on all managed FL SWITCH devices

HARDENINGIsolate FL SWITCH management network behind a firewall and restrict access from the business network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FL SWITCH firmware to version 1.35 or higher from the Phoenix Contact website

HARDENINGIf remote management is required, use a VPN to Phoenix Contact support and verify current VPN software versions

CVEs (6)

CVE-2018-13993 CVE-2018-13990 CVE-2018-13992 CVE-2018-13994 CVE-2018-13991 CVE-2017-3735

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e3fa685-13d9-44b8-846e-257b540743a9