Phoenix Contact: Multiple mGuard devices are vulnerable to a drain of open file descriptors.
Monitor5.3VDE-2024-052Sep 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The pathfinder TCP encapsulation service in Phoenix Contact mGuard industrial secure gateway devices is vulnerable to a file descriptor exhaustion denial of service. An attacker can repeatedly establish connections to the service port, consuming file descriptors without proper cleanup. Once exhausted, the device cannot accept new legitimate connections, disrupting secure communications and network access control functions. The vulnerability affects mGuard RS, TC, and modern 2000/4000 series devices running firmware versions prior to 8.9.3 (RS/TC models) or 10.4.1 (2000/4000 series).
What this means
What could happen
An attacker can exhaust file descriptors on mGuard devices by repeatedly connecting to the pathfinder TCP encapsulation service, eventually causing the device to stop accepting new connections and potentially disrupting secure communications and network access control.
Who's at risk
Water utilities, electric utilities, and manufacturing facilities using Phoenix Contact mGuard industrial secure gateways for VPN encryption and industrial network protection. Affects operators of mGuard RS2000, RS2005, RS4000, RS4004, DELTA, SMART2, CORE, GT, CENTERPORT, and newer 2102/2105/4302/4305 series models.
How it could be exploited
An attacker on the network can send repeated connections to the pathfinder TCP encapsulation service listening port on an mGuard device. Each connection consumes a file descriptor without being properly released. Once all available file descriptors are exhausted, the device becomes unable to accept legitimate new connections.
Prerequisites
- Network access to the pathfinder TCP encapsulation service port on the mGuard device
- No authentication required
remotely exploitableno authentication requiredlow complexityaffects network availability
Affected products (37)
37 with fix
ProductAffected VersionsFix Status
FL MGUARD RS2000 TX/TX VPN<8.9.38.9.3
FL MGUARD RS2005 TX VPN<8.9.38.9.3
TC MGUARD RS2000 3G VPN<8.9.38.9.3
FL MGUARD RS4000 TX/TX<8.9.38.9.3
FL MGUARD RS4000 TX/TX VPN<8.9.38.9.3
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the pathfinder TCP encapsulation service port on mGuard devices to only trusted networks and peers using firewall rules
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
FL MGUARD 2102
HOTFIXUpgrade all mGuard 2000/4000 series devices (FL MGUARD 2102, 2105, 4302, 4305, 4102 PCI/PCIE) to firmware version 10.4.1 or higher
All products
HOTFIXUpgrade all mGuard RS/TC series devices (FL MGUARD RS2000, RS2005, RS4000, RS4004, etc.) to firmware version 8.9.3 or higher
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate mGuard devices from untrusted network segments
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/44800eee-7755-4f83-8481-8640a38c6aba