PHOENIX CONTACT: mGuard <8.8.3 products missing initialization of resource

Act Now9.1VDE-2020-046Dec 17, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

mGuard network devices with integrated switches fail to properly initialize disabled ports after reboot. Switch ports configured as disabled in firmware settings become active again following device restart, bypassing intended network segmentation. This affects FL MGUARD RS4004 TX/DTX and mGuard/TC MGUARD RS4000 series models running firmware versions before 8.8.3.

What this means

What could happen

After a reboot, disabled switch ports on mGuard devices automatically re-enable regardless of configuration settings, potentially allowing unauthorized network access to previously isolated segments. An attacker could exploit this to bypass network segmentation controls that protect critical OT systems.

Who's at risk

Water and electric utilities, manufacturing plants, and other facilities using Phoenix Contact mGuard network switches for OT security. Specifically affects FL MGUARD RS4004 TX/DTX and TC/mGuard RS4000 series devices with integrated switches and VPN capabilities used to segregate legacy control systems from corporate networks.

How it could be exploited

An attacker with physical access to an mGuard device (or knowledge that one is deployed on a network segment they can access) can wait for or trigger a reboot. Once the device restarts, disabled switch ports automatically become active, allowing traffic that should be blocked. The attacker can then send traffic across the now-active port to reach OT devices on the supposedly isolated network segment.

Prerequisites

Physical or network access to an mGuard device running firmware version before 8.8.3
Knowledge that switch ports have been disabled via configuration as a security control
Ability to trigger or wait for device reboot

Remotely exploitableNetwork segmentation bypassNo authentication requiredLow complexityAffects critical infrastructure network architectureHigh CVSS score (9.1)

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

FL MGUARD RS4004 TX/DTX<8.8.38.8.3

FL MGUARD RS4004 TX/DTX VPN<8.8.38.8.3

mGuard rs4000 4TX/3G/TX VPN<8.8.38.8.3

mGuard rs4000 4TX/TX<8.8.38.8.3

mGuard rs4000 4TX/TX VPN<8.8.38.8.3

TC MGUARD RS4000 3G VPN<8.8.38.8.3

TC MGUARD RS4000 4G ATT VPN<8.8.38.8.3

TC MGUARD RS4000 4G VPN<8.8.38.8.3

Remediation & Mitigation

0/2

Do now

0/1

WORKAROUNDPhysically remove network cables from any switch ports that are intended to be disabled, rather than relying on configuration-based port disabling

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all mGuard devices to firmware version 8.8.3 or later

CVEs (1)

CVE-2020-12523

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c784eb71-2e5b-4ff8-906f-c90de5405e5f