PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks

Act Now9.8VDE-2020-002Feb 25, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Wind River VxWorks TCP/IP stack (used in Phoenix Contact FL Switch GHS devices) contains two critical buffer overflow and TCP session manipulation vulnerabilities (CVE-2019-12255 and CVE-2019-12258). CVE-2019-12255 is triggered by TCP packets with the urgent flag set and urgent pointer = 0, causing an integer underflow and buffer overflow. This affects any device using TCP regardless of configuration or network role. CVE-2019-12258 allows attackers to reset established TCP sessions by injecting invalid TCP segments if they can determine the session's source/destination ports and IP addresses. Exploitation does not require the attacker to be directly connected—they can attack as a man-in-the-middle or by inducing the device to connect to a malicious host.

What this means

What could happen

An attacker on the network can send specially crafted TCP packets to crash or cause unpredictable behavior in FL Switch GHS devices by exploiting buffer overflow and TCP session manipulation vulnerabilities in the VxWorks operating system. This could disrupt network connectivity and control of critical switching infrastructure.

Who's at risk

Water utilities and electric utilities operating Phoenix Contact FL Switch GHS network switches (12G/8, 12G/8-L3, 4G/12, 4G/12-L3 models at firmware version 3.3.0 or earlier) for critical network switching and VLAN management. Any organization using these switches as backbone or access network infrastructure is at risk.

How it could be exploited

An attacker sends TCP packets with the urgent flag set (and urgent pointer value of 0) to any FL Switch GHS device that communicates over TCP, triggering a buffer overflow in the VxWorks TCP/IP stack. The attacker does not need to be directly connected to the device—they can poison traffic between the switch and other network hosts as a man-in-the-middle, or trick the switch into connecting to a malicious server. No authentication or special configuration is required.

Prerequisites

Network access to the FL Switch GHS device (direct, routed, or as man-in-the-middle)
The device must be using TCP/IP (standard for all network switches)

remotely exploitableno authentication requiredlow complexityno patch availablehigh CVSS score (9.8)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

FL Switch GHS 12G/8≤ 3.3.0No fix (EOL)

FL Switch GHS 4G/12≤ 3.3.0No fix (EOL)

FL Switch GHS 4G/12-L3≤ 3.3.0No fix (EOL)

FL Switch GHS 12G/8-L3≤ 3.3.0No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDeploy a firewall between the FL Switch GHS device and the rest of the network configured to drop TCP packets with the urgent flag set or terminate the corresponding TCP connection

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Phoenix Contact for firmware updates to FL Switch GHS devices; no fix is currently available, but monitor for future release

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: FL Switch GHS 12G/8, FL Switch GHS 4G/12, FL Switch GHS 4G/12-L3, FL Switch GHS 12G/8-L3. Apply the following compensating controls:

HARDENINGRestrict network access to FL Switch GHS devices by implementing network segmentation; only allow traffic from authorized management and process control stations

CVEs (2)

CVE-2019-12255 CVE-2019-12258

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/86e2c0ea-6bc3-47b3-b141-01044cd36d53