OTPulse
FeedAboutContact

PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family

Plan Patch7.5VDE-2022-051Nov 15, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial-of-service vulnerability in the HTTPS management interface of Phoenix Contact mGuard devices can be triggered by a large number of unauthenticated connection attempts originating from different source IP addresses. An attacker can exhaust device resources and make the management interface unavailable. The vulnerability affects FL MGUARD and TC MGUARD devices in multiple form factors and configurations running firmware versions prior to 8.9.0. Standard firewall connection limits cannot prevent this issue. The vulnerability is resolved in firmware version 8.9.0.

What this means
What could happen
An attacker can flood the mGuard device with unauthenticated HTTPS connection attempts from multiple IP addresses, rendering the management interface unavailable and potentially disrupting remote management and monitoring of critical network infrastructure.
Who's at risk
Water utilities, electric utilities, and industrial facilities using Phoenix Contact mGuard network security devices for remote VPN access and management. Affected models include FL MGUARD and TC MGUARD series in various configurations (CenterPort, Core, Delta, GT, RS2000, RS2005, RS4000, RS4004, Smart2). Organizations relying on these devices for remote monitoring and control of OT networks are at risk.
How it could be exploited
An attacker on a network with access to the HTTPS management interface (port 443 by default) can send a large number of connection requests from spoofed or multiple source IPs. The device lacks proper connection rate limiting, causing resource exhaustion and making the management interface unresponsive.
Prerequisites
  • Network access to the HTTPS management interface (port 443)
  • Ability to originate connections from multiple source IP addresses
  • No authentication required
remotely exploitableno authentication requiredlow complexityhigh CVSS (7.5)
Affected products (31)
31 with fix
ProductAffected VersionsFix Status
FL MGUARD CENTERPORT<8.9.08.9.0
FL MGUARD CENTERPORT VPN-1000<8.9.08.9.0
FL MGUARD CORE TX<8.9.08.9.0
FL MGUARD CORE TX VPN<8.9.08.9.0
FL MGUARD DELTA TX/TX<8.9.08.9.0
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDRestrict HTTPS management interface access to trusted internal networks only using firewall rules or network segmentation
HARDENINGDisable HTTPS management interface access from untrusted or external networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all FL MGUARD and TC MGUARD devices to firmware version 8.9.0 or later
View full CERT@VDE advisory
API: /api/v1/advisories/4789c952-8c53-414b-ab69-040178fe4a5d
PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family | CVSS 7.5 - OTPulse