PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library

Plan Patch7.5VDE-2022-013Apr 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FL MGUARD and TC MGUARD devices contain a possible infinite loop vulnerability in the OpenSSL library when parsing elliptic curve parameters in X.509 certificates. This affects certificate parsing used for HTTPS/SSH administrative login (when client certificates are configured), IPsec VPN peer certificate validation, and connections to external servers (OpenVPN, configuration pull, update servers). An attacker can send a specially crafted certificate to trigger a denial-of-service condition on the device. FL MGUARD DM UNLIMITED is also affected when parsing certificates in the Windows installer. FL WLAN 1010/1011/1100/1101/2010/2011/2100/2101 and FL WLAN 5100/5101/5102/5110/5111 devices are affected, with no planned fix available.

What this means

What could happen

An attacker can send specially crafted certificates over the network to cause a firewall or VPN device to enter an infinite loop, temporarily disabling network protection or blocking remote access for that device.

Who's at risk

Water authorities and electric utilities that use Phoenix Contact FL MGUARD or TC MGUARD firewalls and VPN devices for network protection or remote site connectivity. Also affects organizations using FL WLAN access points for wireless network access. FL MGUARD DM UNLIMITED device management software is affected on Windows systems.

How it could be exploited

An attacker sends a malicious certificate containing elliptic curve parameters to a Phoenix Contact firewall or VPN device. The device attempts to parse the certificate (during HTTPS login, SSH login, IPsec VPN handshake, or external server connection), triggering an infinite loop in the OpenSSL library that consumes CPU and stops the device from responding.

Prerequisites

Network access to reach the affected device on port 443 (HTTPS), port 22 (SSH), port 500/4500 (IPsec), or the configured management port
The device must be configured to parse certificates (e.g., client certificate authentication enabled for admin login, or VPN peer certificate validation enabled)

remotely exploitableno authentication requiredlow complexityaffects network security infrastructureno patch available for FL WLAN devices

Affected products (52)

39 with fix13 pending

ProductAffected VersionsFix Status

FL MGUARD 1102≤ 1.5.28.8.6.

FL MGUARD 1105≤ 1.5.28.8.6.

FL MGUARD CENTERPORT≤ 8.8.58.8.6.

FL MGUARD CENTERPORT VPN-1000≤ 8.8.58.8.6.

FL MGUARD CORE TX≤ 8.8.58.8.6.

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable client certificate authentication on administrative interfaces (HTTPS/SSH) if not required for operations

HARDENINGRestrict certificate-based IPsec VPN peer connections to known, trusted peer certificates only

HARDENINGRestrict network access to device management ports (HTTPS, SSH) to authorized IT personnel networks using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

FL MGUARD DM UNLIMITED

HOTFIXUpdate FL MGUARD DM UNLIMITED to version 1.13.0.2 or later

All products

HOTFIXUpdate FL MGUARD and TC MGUARD devices to firmware version 8.8.6 or later

CVEs (1)

CVE-2022-0778

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6dac4a16-3c04-4e17-adb8-be1f2a30ef85