PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family

Plan PatchCVSS 7.5VDE-2022-051Nov 15, 2022

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability in the HTTPS management interface of Phoenix Contact mGuard devices can be triggered by a large number of unauthenticated connection attempts originating from different source IP addresses. An attacker can exhaust device resources and make the management interface unavailable. The vulnerability affects FL MGUARD and TC MGUARD devices in multiple form factors and configurations running firmware versions prior to 8.9.0. Standard firewall connection limits cannot prevent this issue. The vulnerability is resolved in firmware version 8.9.0.

What this means

What could happen

An attacker can flood the mGuard device with unauthenticated HTTPS connection attempts from multiple IP addresses, rendering the management interface unavailable and potentially disrupting remote management and monitoring of critical network infrastructure.

Who's at risk

Water utilities, electric utilities, and industrial facilities using Phoenix Contact mGuard network security devices for remote VPN access and management. Affected models include FL MGUARD and TC MGUARD series in various configurations (CenterPort, Core, Delta, GT, RS2000, RS2005, RS4000, RS4004, Smart2). Organizations relying on these devices for remote monitoring and control of OT networks are at risk.

How it could be exploited

An attacker on a network with access to the HTTPS management interface (port 443 by default) can send a large number of connection requests from spoofed or multiple source IPs. The device lacks proper connection rate limiting, causing resource exhaustion and making the management interface unresponsive.

Prerequisites

Network access to the HTTPS management interface (port 443)
Ability to originate connections from multiple source IP addresses
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (7.5)

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (31)

31 with fix

ProductAffected VersionsFix Status

FL MGUARD CENTERPORT<8.9.08.9.0

FL MGUARD CENTERPORT VPN-1000<8.9.08.9.0

FL MGUARD CORE TX<8.9.08.9.0

FL MGUARD CORE TX VPN<8.9.08.9.0

FL MGUARD DELTA TX/TX<8.9.08.9.0

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict HTTPS management interface access to trusted internal networks only using firewall rules or network segmentation

HARDENINGDisable HTTPS management interface access from untrusted or external networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all FL MGUARD and TC MGUARD devices to firmware version 8.9.0 or later

CVEs (1)

CVE-2022-3480

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4789c952-8c53-414b-ab69-040178fe4a5d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.