PHOENIX CONTACT: FL MGUARD affected by two vulnerabilities

MonitorCVSS 5.9VDE-2023-010Jun 13, 2023

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The FL MGUARD family of devices is affected by two vulnerabilities: one allowing potential decryption of communications encrypted with RSA-based ciphers due to cryptographic weaknesses (CWE-1287), and another allowing malicious UDP packets to reach clients if the incoming IPv4 packet filter is not properly configured (CWE-203). These vulnerabilities affect all models including the newer 4000-series (2102, 4102, 4302) and the older series (CENTERPORT, CORE TX, DELTA TX, GT, PCI4000, PCIE4000, RS2000, RS2005, RS4000, RS4004, SMART2) with various configurations (standard, PCI, PCIE, VPN-enabled).

What this means

What could happen

An attacker with network access to an FL MGUARD device could decrypt encrypted communications if using RSA-based ciphers, potentially compromising confidential network traffic. Additionally, malicious UDP packets could reach clients if the incoming packet filter is misconfigured.

Who's at risk

Network protection appliance operators should care. FL MGUARD devices are industrial security gateways used to protect manufacturing, water treatment, power generation, and other critical infrastructure networks. The vulnerability affects all models in the FL MGUARD family, including controllers with PCI/PCIE interfaces, embedded systems, and VPN-enabled variants commonly deployed at the industrial network perimeter.

How it could be exploited

An attacker on the network sends specially crafted packets to an FL MGUARD device using vulnerable RSA-based encryption ciphers, allowing decryption of encrypted communications through cryptographic weaknesses. A second attack path involves sending malicious UDP packets that bypass packet filtering to reach connected clients.

Prerequisites

Network access to the FL MGUARD device
Device configured to use RSA-based ciphers for TLS or IPsec encryption
Incoming IPv4 packet filter not properly configured to block malicious UDP traffic

remotely exploitablelow complexityconfidentiality impact on encrypted trafficaffects network segmentation controls

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (26)

26 with fix

ProductAffected VersionsFix Status

FL MGUARD 2102≤ 10.1.110.2.0

FL MGUARD 4102 PCI≤ 10.1.110.2.0

FL MGUARD 4102 PCIE≤ 10.1.110.2.0

FL MGUARD 4302≤ 10.1.110.2.0

FL MGUARD CENTERPORT≤ 8.9.08.9.1

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGConfigure TLS and IPsec connections on FL MGUARD devices to use only cipher suites with forward secrecy, disabling RSA-based ciphers

HARDENINGReview and configure the incoming IPv4 packet filter on all FL MGUARD devices to block UDP packets from untrusted sources

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

FL MGUARD 2102

HOTFIXUpdate FL MGUARD 2102, 4102 PCI, 4102 PCIE, and 4302 devices to firmware version 10.2.0 or later

All products

HOTFIXUpdate all other FL MGUARD models (CENTERPORT, CORE TX, DELTA TX, GT, PCI4000, PCIE4000, RS2000, RS2005, RS4000, RS4004, SMART2 and their VPN variants) to firmware version 8.9.1 or later

HARDENINGRenew all certificates used by FL MGUARD devices, prioritizing those affected by weak RSA cipher implementations

CVEs (2)

CVE-2022-4304 CVE-2023-2673

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/557f0c00-ce19-42ff-98a2-c2f4ae7eb755

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.