Phoenix Contact: Multiple mGuard devices are vulnerable to a remote code injection due to SSH

Act NowCVSS 8.1VDE-2024-051Sep 10, 2024

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Phoenix Contact mGuard industrial firewalls and VPN gateways running firmware versions below 8.9.3 or 10.4.1 (depending on model) contain a remote code injection vulnerability in the OpenSSH server. An unauthenticated attacker with network access to the SSH port can inject and execute arbitrary commands, potentially compromising the device and the networks it protects.

What this means

What could happen

An attacker with network access to the SSH port on an mGuard device could inject code and execute commands, potentially taking control of the device and disrupting critical network segmentation or remote access functions.

Who's at risk

Water utilities, electric utilities, and any facility using Phoenix Contact mGuard industrial firewalls or VPN gateways for network protection and remote access. These devices are critical boundary devices protecting SCADA systems, PLCs, RTUs, and remote access infrastructure.

How it could be exploited

An attacker sends a specially crafted SSH request to the mGuard device's SSH server (default port 22). The OpenSSH vulnerability allows code injection without authentication. The attacker gains command execution on the mGuard, which typically sits at the boundary between IT and OT networks or protects remote access to critical infrastructure.

Prerequisites

Network access to the mGuard SSH port (typically port 22)
mGuard device running firmware version below 8.9.3 or 10.4.1 (depending on model series)

remotely exploitableno authentication requiredlow complexityhigh EPSS score (46.7%)affects boundary infrastructure

Exploitability

Likely to be exploited — EPSS score 48.1%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (37)

37 with fix

ProductAffected VersionsFix Status

FL MGUARD RS2000 TX/TX VPN<8.9.38.9.3

FL MGUARD RS2005 TX VPN<8.9.38.9.3

TC MGUARD RS2000 3G VPN<8.9.38.9.3

FL MGUARD RS4000 TX/TX<8.9.38.9.3

FL MGUARD RS4000 TX/TX VPN<8.9.38.9.3

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict SSH access to the mGuard to only trusted networks using firewall rules or access control lists

WORKAROUNDDisable remote SSH access to the mGuard if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all mGuard devices to firmware version 8.9.3 (for FL MGUARD RS2000, RS4000, DELTA, SMART2, CORE, GT, CENTERPORT and TC MGUARD models) or 10.4.1 (for FL MGUARD 2000/4000-series) or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate mGuard devices from untrusted networks and limit exposure

CVEs (1)

CVE-2024-6387

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dbc6a6f4-eae4-43cc-b728-44455afab9f7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.