Phoenix Contact: Multiple Vulnerabilities in mGuard devices
Plan Patch8.8VDE-2024-039Sep 10, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Phoenix Contact mGuard devices contain multiple vulnerabilities: (1) confidential data exposure in HTTP query strings of administrative interface requests, and (2) incomplete input sanitization in the administrative web interface allowing command injection. These affect the mGuard GT, RS, 2102/2105, 4302/4305, 4102, CENTERPORT, PCI4000, PCIE4000, DELTA, SMART2, CORE product lines. An authenticated administrator or user with access to the admin interface can extract sensitive configuration data or inject commands to modify device behavior. CWEs involved include improper information exposure (CWE-201), OS command injection (CWE-78), improper restriction of rendered UI layers (CWE-212), and code injection (CWE-94).
What this means
What could happen
An authenticated attacker with access to the admin web interface could read sensitive data from HTTP query strings or inject commands into unsanitized input fields, potentially gaining control of network traffic filtering rules or accessing confidential configuration data.
Who's at risk
Manufacturing facilities, utilities (water, electric), and critical infrastructure using Phoenix Contact mGuard industrial security appliances and firewall modules for network protection. Both standalone gateway models (GT, RS, DELTA, SMART2, CORE) and PCI/PCIe card variants (4102, 4302, 4305, PCI4000, PCIE4000) are affected if running vulnerable firmware versions.
How it could be exploited
An attacker with valid credentials to the mGuard administrative interface can view confidential data exposed in HTTP query parameters and exploit incomplete input sanitation in web forms to inject arbitrary commands. The attack requires network access to the admin interface and valid user credentials.
Prerequisites
Valid administrative user credentials
Network access to the mGuard admin web interface (typically port 443 or 8443)
Device running vulnerable firmware version (8.9.3 or earlier for GT/RS/PCI/DELTA/SMART2/CORE models; 10.4.1 or earlier for 2102/2105/4302/4305/4102 models)
Requires valid credentialsLow complexity exploitation of input validation flawsAffects network security appliances that protect critical infrastructureHigh CVSS score (8.8)Confidentiality, integrity, and availability impact
Affected products (37)
37 with fix
ProductAffected VersionsFix Status
FL MGUARD GT/GT<8.9.38.9.3
FL MGUARD GT/GT VPN<8.9.38.9.3
FL MGUARD CENTERPORT<8.9.38.9.3
FL MGUARD CENTERPORT VPN-1000<8.9.38.9.3
FL MGUARD 2102<10.4.110.4.1
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDRestrict administrative web interface access to trusted users only; limit network access to the admin interface to specific IP addresses or administrative subnets using firewall rules
HARDENINGReview and audit admin user accounts on all mGuard devices; disable unnecessary administrative accounts and enforce strong passwords
Schedule — requires maintenance window
0/3
Patching may require device reboot — plan for process interruption
FL MGUARD GT/GT
HOTFIXUpdate FL MGUARD GT/GT, GT/GT VPN, CENTERPORT, CENTERPORT VPN-1000, RS2000, RS2005, RS4000, RS4004, PCI4000, PCIE4000, DELTA, SMART2, and CORE devices to firmware version 8.9.3 or later
FL MGUARD 2102
HOTFIXUpdate FL MGUARD 2102, 2105, 4302, 4305, 4102 PCIE, and 4102 PCI devices to firmware version 10.4.1 or later
All products
HOTFIXUpdate TC MGUARD RS2000 and RS4000 3G/4G/4G VZW/4G ATT VPN devices to firmware version 8.9.3 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate mGuard devices on a secure administrative network separate from general plant operations networks