Phoenix Contact: Multiple mGuard devices are vulnerable to a remote code injection due to SSH

Plan Patch8.1VDE-2024-051Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Phoenix Contact mGuard secure routers and gateways contain a remote code injection vulnerability in their embedded OpenSSH server. An attacker with network access to the SSH port can inject malicious commands and execute them on the device without valid credentials. The vulnerability affects all mGuard models running firmware below version 8.9.3 (legacy models) or 10.4.1 (newer models). The issue is a race condition or code injection flaw (CWE-362) in the SSH authentication handling.

What this means

What could happen

An attacker with network access to the SSH port on an mGuard device could execute arbitrary commands on the device, potentially disrupting network communications, altering traffic rules, or disconnecting remote sites that depend on the mGuard for secure connectivity.

Who's at risk

Organizations operating Phoenix Contact mGuard secure routers and gateways used for connecting industrial sites over untrusted networks (including the entire mGuard product line: RS2000, RS2005, RS4000, RS4004, DELTA, SMART2, CORE, GT, CENTERPORT, 2102, 2105, 4302, 4305, and 4102 series). This affects utilities, manufacturing plants, and networked industrial control systems that rely on mGuards for site-to-site VPN or secure remote access.

How it could be exploited

An attacker on the network sends a malformed SSH request to the mGuard's SSH port (typically port 22). Due to a code injection flaw in the OpenSSH server, the attacker can bypass authentication checks and inject commands that execute with the device's privileges. No valid SSH credentials are needed.

Prerequisites

Network-accessible SSH port on the mGuard device
Vulnerable firmware version below 8.9.3 (older products) or 10.4.1 (newer products)

Remotely exploitableNo authentication requiredLow complexity attackAffects network security appliances critical to OT connectivityHigh CVSS score (8.1)

Affected products (37)

37 with fix

ProductAffected VersionsFix Status

FL MGUARD RS2000 TX/TX VPN<8.9.38.9.3

FL MGUARD RS2005 TX VPN<8.9.38.9.3

TC MGUARD RS2000 3G VPN<8.9.38.9.3

FL MGUARD RS4000 TX/TX<8.9.38.9.3

FL MGUARD RS4000 TX/TX VPN<8.9.38.9.3

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the SSH port (22) on all mGuard devices to only trusted engineering networks and management stations using firewall rules

HARDENINGDisable remote SSH access to mGuard devices if not required for operations, leaving only local console or serial access for management

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade mGuard firmware to version 8.9.3 or higher (for legacy models: RS2000, RS2005, RS4000, RS4004, DELTA, SMART2, CORE, GT, CENTERPORT) or version 10.4.1 or higher (for newer models: 2102, 2105, 4302, 4305, 4102)

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate mGuard management interfaces on a separate, access-controlled network from production data flows

CVEs (1)

CVE-2024-6387

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dbc6a6f4-eae4-43cc-b728-44455afab9f7