PHOENIX CONTACT: XSS and memory-leak in FL MGUARD 1102/1105

Plan Patch7.5VDE-2021-046Nov 10, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FL MGUARD 1102 and 1105 contain two vulnerabilities: (1) stored cross-site scripting (XSS) in certificate file uploads on LDAP and Remote Logging settings pages—an authenticated admin user can embed malicious HTML/JavaScript that executes when other authenticated users view those pages; (2) memory leak in the remote logging function where syslog-ng data structures are not released, causing the device to gradually consume more memory and potentially become unavailable. Both issues are confirmed in firmware versions 1.4.0, 1.4.1, and 1.5.0. Phoenix Contact has released firmware version 1.5.1 that addresses both vulnerabilities. Workaround for the memory leak is to disable remote logging until the device can be patched.

What this means

What could happen

A user with admin credentials can inject malicious code into certificate files that executes when other admins view those pages, potentially allowing them to steal credentials or modify device settings. Additionally, the remote logging feature causes the device to leak memory over time, potentially causing it to crash and interrupt network monitoring.

Who's at risk

Network security appliance administrators and operators managing FL MGUARD 1102 or 1105 devices should be concerned. These devices are typically used as Industrial Ethernet firewalls and remote access gateways in manufacturing and utility environments. Any facility using these devices for network segmentation or remote management is affected.

How it could be exploited

An attacker with admin or super-admin access uploads a malicious certificate file containing HTML/JavaScript to the LDAP or Remote Logging settings pages via the web interface or REST API. When another authenticated user views those pages, the malicious code executes in their browser and could harvest session tokens or modify settings. Separately, enabling remote logging causes memory to accumulate without being released, eventually exhausting device resources.

Prerequisites

Valid FL MGUARD admin or super-admin credentials
Access to the web-based management interface or REST API
For XSS exploitation: another admin user must view the affected settings pages

remotely exploitable via REST APIno patch available for current versionsaffects network monitoring and device stabilityrequires admin credentials but poses insider threat risk

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

FL MGUARD 11051.4.01.5.1

FL MGUARD 11051.4.11.5.1

FL MGUARD 11051.5.01.5.1

FL MGUARD 11021.4.01.5.1

FL MGUARD 11021.4.11.5.1

FL MGUARD 11021.5.01.5.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately deactivate remote logging until firmware can be upgraded

HARDENINGRevoke access for any user accounts that may have been compromised or used to upload unauthorized certificates

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade firmware to version 1.5.1 or later to patch both XSS and memory leak vulnerabilities

HOTFIXAfter upgrading, re-upload all LDAP and Remote Logging certificates through the REST API without viewing those pages in the web interface to ensure any embedded exploits are not rendered

HARDENINGReview audit logs and settings for unauthorized modifications made before the upgrade; disregard log entries made before the upgrade regarding user actions since they cannot be trusted

CVEs (2)

CVE-2021-34598 CVE-2021-34582

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/088b40f5-b9f5-4e75-8d1a-5f760fc92d54