PHOENIX CONTACT: improper access control exists on FL NAT devices when using MAC-based port security
Plan Patch8.2VDE-2019-020Oct 29, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
FL NAT 2xxx routers configured with MAC-based or 802.1x port security contain an improper access control flaw. When the device operates as a router between subnets, port security controls are bypassed for routed traffic, allowing unauthorized devices to gain access to systems in protected subnets. The vulnerability exists in firmware versions before 2.90 for FL NAT 2208 and FL NAT 2304-2GC-2SFP devices.
What this means
What could happen
An unauthorized device can bypass MAC-based port security on FL NAT routers and gain access to devices in adjacent network subnets, potentially allowing an attacker on one segment to reach and compromise systems on another segment.
Who's at risk
Water utilities and electric utilities using Phoenix Contact FL NAT 2208 or FL NAT 2304-2GC-2SFP routers to segment control networks, SCADA systems, or safety device networks from operational technology subnets. Any organization relying on port-level MAC or 802.1x security to isolate critical infrastructure segments through these devices.
How it could be exploited
An attacker with physical or network access to one subnet port on an FL NAT 2xxx device configured with MAC or 802.1x port security can send traffic that appears to originate from an authorized device. The router will route this traffic to the other subnet, bypassing port security controls, allowing the attacker to reach and interact with devices on the protected subnet.
Prerequisites
- FL NAT 2xxx device must be configured as a router between two subnets
- MAC-based port security or 802.1x port security must be enabled on at least one port
- Attacker must have physical or network access to a port in one of the connected subnets
affects network segmentation controlslow complexity bypassallows cross-subnet accesscommonly used in industrial networks for subnet separation
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
FL NAT 2208<2.902.90
FL NAT 2304-2GC-2SFP<2.902.90
Remediation & Mitigation
0/3
Do now
0/1HARDENINGDo not rely solely on MAC-based or 802.1x port security on FL NAT devices for network segmentation; implement additional network-layer access controls such as VLAN access control lists (VACLs) or firewall rules to restrict traffic between subnets
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
FL NAT 2208
HOTFIXUpdate FL NAT 2208 and FL NAT 2304-2GC-2SFP devices to firmware version 2.90 or later
Long-term hardening
0/1HARDENINGRestrict network access between subnets at the routing level using firewall rules or access lists to enforce subnet isolation independently of port security
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/10aeaf66-bd9e-4247-a265-972fe4cca628