OTPulse
FeedAboutContact

PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver

Act Now9.8VDE-2022-014Apr 12, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Apache HTTP Server 2.4.52 and earlier fails to close inbound connections when errors occur while discarding the request body. This exposes the mGuard Device Manager to HTTP Request Smuggling attacks. The vulnerability affects only the mdm Installer for Windows when ConfigPull functionality is enabled.

What this means
What could happen
An attacker could exploit HTTP Request Smuggling to inject malicious requests into the mGuard Device Manager, potentially modifying network security configurations or bypassing access controls on managed devices across your infrastructure.
Who's at risk
Organizations operating Phoenix Contact mGuard Device Manager appliances, particularly those in critical infrastructure (electric utilities, water treatment, manufacturing) that use these devices to manage distributed firewall and security appliances across their operational networks.
How it could be exploited
An attacker with network access to the mGuard Device Manager's HTTP interface could send a crafted request that exploits the connection handling flaw to smuggle additional HTTP requests. By targeting the ConfigPull functionality, the attacker could manipulate configuration file handling if files are stored unencrypted.
Prerequisites
  • Network access to the mGuard Device Manager HTTP interface (typically port 80 or 443)
  • ConfigPull functionality must be enabled on the mGuard Device Manager
  • Configuration files stored unencrypted (required for exploitation to be practically useful)
remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)affects network security infrastructure
Affected products (1)
ProductAffected VersionsFix Status
FL MGUARD DM UNLIMITED≤ 1.13.0.11.13.0.2
Remediation & Mitigation
0/4
Do now
0/3
HOTFIXUpgrade FL MGUARD DM UNLIMITED to version 1.13.0.2 or higher
HARDENINGEncrypt all configuration files with the device-specific public key of mGuard appliances
HARDENINGRestrict network access to the mGuard Device Manager HTTP interface to trusted engineering networks only using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable ConfigPull functionality if it is not actively required for your operational needs
View full CERT@VDE advisory
API: /api/v1/advisories/d52fb7a9-de1b-4723-ac5b-9e055c2b562f
PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver | CVSS 9.8 - OTPulse