Phoenix Contact: Multiple Vulnerabilities in mGuard devices

Plan PatchCVSS 8.8VDE-2024-039Sep 10, 2024

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Phoenix Contact mGuard devices allow attackers with valid administrative credentials to access confidential data and execute arbitrary commands. The vulnerabilities stem from confidential data exposure in HTTP query strings and incomplete input sanitation in the administrative web interface.

What this means

What could happen

An attacker with valid administrative credentials could read sensitive configuration or operational data from the device and potentially execute arbitrary commands on the mGuard appliance, compromising network segmentation and potentially gaining access to connected industrial networks.

Who's at risk

Water utilities and power companies using Phoenix Contact mGuard network security appliances are affected. These devices are deployed at the boundary between corporate IT networks and operational technology networks (SCADA, PLC networks, RTU communications). Organizations with critical process automation or remote access capabilities relying on mGuard for network segmentation should prioritize patching.

How it could be exploited

An attacker with valid administrative credentials accesses the web interface of an mGuard device. The attacker exploits incomplete input validation to inject commands or reads confidential data exposed in HTTP query strings to extract credentials or configuration details that could be used for further lateral movement into the OT network.

Prerequisites

Valid administrative credentials for the mGuard device
Network access to the administrative web interface (typically port 443 or 80)
mGuard device running firmware version earlier than 8.9.3 or 10.4.1 depending on model

remotely exploitablerequires administrative credentialsaffects network boundary devicedata exposure in HTTPcommand injection capability

Exploitability

Some exploitation risk — EPSS score 2.5%

Affected products (37)

37 with fix

ProductAffected VersionsFix Status

FL MGUARD GT/GT<8.9.38.9.3

FL MGUARD GT/GT VPN<8.9.38.9.3

FL MGUARD CENTERPORT<8.9.38.9.3

FL MGUARD CENTERPORT VPN-1000<8.9.38.9.3

FL MGUARD 2102<10.4.110.4.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict administrative access to mGuard devices to trusted engineering workstations and administrative machines only using firewall rules or network segmentation

HARDENINGChange default administrative credentials immediately and enforce strong, unique passwords for all mGuard administrative accounts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected mGuard devices to firmware version 8.9.3 (GT, CENTERPORT, RS-series, Delta, Smart2, Core models) or version 10.4.1 (2102, 2105, 4302, 4305, 4102 series)

HARDENINGAudit access logs on all mGuard devices to identify any unauthorized administrative access attempts

CVEs (12)

CVE-2024-7698 CVE-2024-43384 CVE-2024-43385 CVE-2024-43387 CVE-2024-43389 CVE-2024-43390 CVE-2024-43392 CVE-2024-7699 CVE-2024-43386 CVE-2024-43388 CVE-2024-43391 CVE-2024-43393

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/db00cef2-51f9-4f37-88c6-4c94533685b5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.