PHOENIX CONTACT: FL MGUARD affected by two vulnerabilities
Monitor5.9VDE-2023-010Jun 13, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The FL MGUARD family of devices is affected by two vulnerabilities: one allowing potential decryption of communications encrypted with RSA-based ciphers due to cryptographic weaknesses (CWE-1287), and another allowing malicious UDP packets to reach clients if the incoming IPv4 packet filter is not properly configured (CWE-203). These vulnerabilities affect all models including the newer 4000-series (2102, 4102, 4302) and the older series (CENTERPORT, CORE TX, DELTA TX, GT, PCI4000, PCIE4000, RS2000, RS2005, RS4000, RS4004, SMART2) with various configurations (standard, PCI, PCIE, VPN-enabled).
What this means
What could happen
An attacker with network access to an FL MGUARD device could decrypt encrypted communications if using RSA-based ciphers, potentially compromising confidential network traffic. Additionally, malicious UDP packets could reach clients if the incoming packet filter is misconfigured.
Who's at risk
Network protection appliance operators should care. FL MGUARD devices are industrial security gateways used to protect manufacturing, water treatment, power generation, and other critical infrastructure networks. The vulnerability affects all models in the FL MGUARD family, including controllers with PCI/PCIE interfaces, embedded systems, and VPN-enabled variants commonly deployed at the industrial network perimeter.
How it could be exploited
An attacker on the network sends specially crafted packets to an FL MGUARD device using vulnerable RSA-based encryption ciphers, allowing decryption of encrypted communications through cryptographic weaknesses. A second attack path involves sending malicious UDP packets that bypass packet filtering to reach connected clients.
Prerequisites
- Network access to the FL MGUARD device
- Device configured to use RSA-based ciphers for TLS or IPsec encryption
- Incoming IPv4 packet filter not properly configured to block malicious UDP traffic
remotely exploitablelow complexityconfidentiality impact on encrypted trafficaffects network segmentation controls
Affected products (26)
26 with fix
ProductAffected VersionsFix Status
FL MGUARD 2102≤ 10.1.110.2.0
FL MGUARD 4102 PCI≤ 10.1.110.2.0
FL MGUARD 4102 PCIE≤ 10.1.110.2.0
FL MGUARD 4302≤ 10.1.110.2.0
FL MGUARD CENTERPORT≤ 8.9.08.9.1
Remediation & Mitigation
0/5
Do now
0/2HARDENINGConfigure TLS and IPsec connections on FL MGUARD devices to use only cipher suites with forward secrecy, disabling RSA-based ciphers
HARDENINGReview and configure the incoming IPv4 packet filter on all FL MGUARD devices to block UDP packets from untrusted sources
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
FL MGUARD 2102
HOTFIXUpdate FL MGUARD 2102, 4102 PCI, 4102 PCIE, and 4302 devices to firmware version 10.2.0 or later
All products
HOTFIXUpdate all other FL MGUARD models (CENTERPORT, CORE TX, DELTA TX, GT, PCI4000, PCIE4000, RS2000, RS2005, RS4000, RS4004, SMART2 and their VPN variants) to firmware version 8.9.1 or later
HARDENINGRenew all certificates used by FL MGUARD devices, prioritizing those affected by weak RSA cipher implementations
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/557f0c00-ce19-42ff-98a2-c2f4ae7eb755