PHOENIX CONTACT: FL MGUARD DM version 1.12.0 and 1.13.0 Improper Privilege Management

Plan Patch7.5VDE-2021-035Aug 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Apache web server bundled with FL MGUARD DM versions 1.12.0 and 1.13.0 does not enforce login credentials to access the web interface, even when authentication is configured during installation. This allows unauthenticated network access to the device's configuration and operational data.

What this means

What could happen

An attacker on the network can access the FL MGUARD DM web interface without credentials to view sensitive configuration and operational data from the device.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities using Phoenix Contact FL MGUARD DM as a management firewall or network appliance for protecting industrial networks and programmable logic controllers (PLCs) or other control devices.

How it could be exploited

An attacker sends an HTTP request to the Apache web server on the FL MGUARD DM. The server grants access to the web interface and sensitive files (DocumentRoot and /atv alias) without requiring authentication, allowing the attacker to read configuration, system status, and potentially device control settings.

Prerequisites

Network access to the HTTP port (default 80 or 443) of the FL MGUARD DM
FL MGUARD DM must be accessible from attacker's network segment

remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FL MGUARD DM 1.12.01.12.01.13.0.1 or later

FL MGUARD DM 1.13.01.13.01.13.0.1 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf patch cannot be applied immediately, stop the ApacheMDM Windows service and edit <mdm>/apache/conf/extra/httpd-mdm.conf to remove 'Require all granted' lines from DocumentRoot and '/atv' alias sections, then restart the service

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

FL MGUARD DM 1.12.0

HOTFIXUpdate FL MGUARD DM 1.12.0 or 1.13.0 to version 1.13.0.1 or later

All products

HARDENINGUse encrypted mGuard configuration profiles where available to protect sensitive settings

Long-term hardening

0/1

HARDENINGRestrict network access to the FL MGUARD DM web server port to only authorized management workstations using firewall rules

CVEs (1)

CVE-2021-34579

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e9a8b11-ebc6-48aa-ae11-ecdc4a3dd2c5