PHOENIX CONTACT: FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT: PPPD vulnerable to CVE-2020-8597

Act Now9.8VDE-2020-018Jun 2, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FL MGUARD, TC MGUARD, TC ROUTER, and TC CLOUD CLIENT devices are affected by a buffer overflow vulnerability (CVE-2020-8597) in the PPP (Point-to-Point Protocol) service. The vulnerability allows malicious PPP peers to send specially crafted packets that trigger a buffer overflow, potentially leading to arbitrary code execution. The PPP service is disabled by default on most FL MGUARD models but is active by default on TC ROUTER and TC CLOUD CLIENT devices. It also activates automatically on FL MGUARD and TC MGUARD devices when configured for mobile data connections, router modem mode, router PPPoE mode, or L2TP over IPsec tunneling. All affected product variants running firmware versions below the minimum patched versions are vulnerable.

What this means

What could happen

A remote attacker could exploit a buffer overflow in the PPP service to gain control of Phoenix Contact industrial routers and gateways, potentially disrupting network communications between control systems and remote sites or allowing unauthorized access to the industrial network.

Who's at risk

Water utilities and electric utilities using Phoenix Contact FL MGUARD industrial routers and gateways for secure remote access, VPN termination, or mobile data connections. TC ROUTER and TC CLOUD CLIENT devices used for remote management of distributed control systems are particularly at risk because PPP is active by default. This affects any facility relying on these devices for connectivity between SCADA systems, RTUs, and remote engineering workstations.

How it could be exploited

An attacker positioned on the PPP network path (or operating a malicious PPP peer) sends specially crafted PPP packets that trigger a buffer overflow in the PPPD service. This allows execution of arbitrary code on the router or gateway with full system privileges, without requiring any authentication.

Prerequisites

PPP service must be active (enabled by default in TC ROUTER and TC CLOUD CLIENT; enabled in FL MGUARD/TC MGUARD only in mobile data, router modem mode, router PPPoE mode, or L2TP over IPsec configurations)
Network connectivity to the device on the PPP interface or connection path

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for many product variantsaffects network infrastructure critical to remote operations

Affected products (39)

39 pending

ProductAffected VersionsFix Status

FL MGUARD CENTERPORT<8.8.2No fix yet

FL MGUARD CORE TX VPN<8.8.2No fix yet

FL MGUARD DELTA TX/TX<8.8.2No fix yet

FL MGUARD DELTA TX/TX VPN<8.8.2No fix yet

FL MGUARD GT/GT<8.8.2No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable PPP service on devices where it is not required for operations

WORKAROUNDRestrict PPP interface connectivity to trusted networks only; configure firewall rules to block PPP connections from untrusted external networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected FL MGUARD and TC MGUARD devices to firmware version 8.8.2 or later

HOTFIXUpdate all affected TC ROUTER devices (2002T-3G, 3002T series) to firmware version 2.05.5 or later

HOTFIXUpdate all affected TC CLOUD CLIENT devices (1002-4G variants) to firmware version 2.03.19 or later

Long-term hardening

0/1

HARDENINGSegment industrial network to isolate affected routers and gateways from direct exposure to untrusted PPP peers

CVEs (1)

CVE-2020-8597

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/74d8743f-9ccd-4c30-946d-821cd93a38fe