Phoenix Contact: Multiple mGuard devices are vulnerable to a drain of open file descriptors.

MonitorCVSS 5.3VDE-2024-052Sep 10, 2024

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The pathfinder TCP encapsulation service in Phoenix Contact mGuard devices is vulnerable to a file descriptor exhaustion condition. An attacker can cause the device to deplete available file descriptors through crafted requests, rendering the security appliance unresponsive. This affects mGuard RS-series (RS2000, RS2005, RS4000, RS4004), 2xxx/4xxx series (2102, 2105, 4302, 4305, 4102), TC cellular models, and specialty series (SMART2, DELTA, CORE, GT, CENTERPORT) running firmware versions below 8.9.3 (RS-series and specialty) or 10.4.1 (2xxx/4xxx series).

What this means

What could happen

An attacker could send specially crafted requests to the pathfinder TCP service on mGuard devices, causing the device to exhaust available file descriptors and become unresponsive, disrupting network security functions and potentially affecting communication between your control network segments.

Who's at risk

This affects operators of Phoenix Contact mGuard industrial security appliances used to protect communication between SCADA networks, RTU systems, and remote sites. Affected models include RS-series, 2xxx/4xxx series, and specialty variants (SMART2, DELTA, CORE, GT, CENTERPORT). These devices typically sit at network boundaries between corporate and industrial control networks.

How it could be exploited

An attacker with network access to the pathfinder TCP encapsulation service port on an mGuard device (typically port 502 or similar, depending on configuration) sends repeated malformed or resource-consuming requests. The device fails to properly close file descriptors, eventually running out of available descriptors and becoming unable to process legitimate traffic or maintain connections.

Prerequisites

Network access to the pathfinder TCP encapsulation service port on the mGuard device
No authentication required

remotely exploitableno authentication requiredlow complexitydenial of service impact on network security appliance

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (37)

37 with fix

ProductAffected VersionsFix Status

FL MGUARD RS2000 TX/TX VPN<8.9.38.9.3

FL MGUARD RS2005 TX VPN<8.9.38.9.3

TC MGUARD RS2000 3G VPN<8.9.38.9.3

FL MGUARD RS4000 TX/TX<8.9.38.9.3

FL MGUARD RS4000 TX/TX VPN<8.9.38.9.3

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the pathfinder TCP encapsulation service port to only trusted peer networks and management systems using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate mGuard RS-series devices (RS2000, RS2005, RS4000, RS4004) to firmware version 8.9.3 or later

HOTFIXUpdate mGuard 2xxx and 4xxx series devices to firmware version 10.4.1 or later

HOTFIXUpdate mGuard SMART2, DELTA, CORE, GT, and CENTERPORT series to firmware version 8.9.3 or later

CVEs (1)

CVE-2024-7734

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/44800eee-7755-4f83-8481-8640a38c6aba

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.