PHOENIX CONTACT Multiple Vulnerabilities in FL SWITCH 3xxx, 4xxx and 48xx
VDE-2019-001 (2019-01-23 13:02 UTC+0100)
CVE Identifier
CVE-2018-13993, CVE-2018-13990, CVE-2018-13992, CVE-2018-13994, CVE-2018-13991, CVE-2017-3735Affected Vendors
PHOENIX CONTACT
Affected Products
FL SWITCH 3xxx, 4xxx and 48xx
Vulnerability Type
multiple, see below
Summary
Multiple vulnerabilities for FL SWITCH have been identified in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx version 1.0 to 1.34.
Impact
Vulnerabilities (sorted by severity)
CVE-ID: CVE-2018-13993
CVSS Score: 8.8 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vulnerability Type: CWE-352 Cross-site Request Forgery (CSRF)
Description
Additional Cross-site Request Forgery (CSRF) protections are required to be implemented in the Web UI. This attack tricks may trick the web browser into transmitting unwanted commands.
Impact
If vulnerability is exploited, an attacker could persuade a user to follow a malicious Web UI link. This could allow the attacker to submit arbitrary requests to the affected software via the user’s web browser with the user’s privileges.
CVE-ID: CVE-2018-13990
CVSS Score: 8.6 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)
Vulnerability Type: CWE-307 Improper Restriction of Excessive Authentication Attempts
Description
The switch needs an extended login time-out feature to prevent high-speed automated username and password combination guessing. An attacker may gain access by such a brute forcing of usernames and passwords.
Impact
If vulnerability is exploited, the attacker can gain access to the switch by brute forcing Web UI service passwords.
CVE-ID: CVE-2018-13992
CVSS Score: 8.2 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
Vulnerability Type: CWE-319: Cleartext Transmission of Sensitive Information
Description
The default setting of the Web UI (HTTP) allows user credentials to be transmitted unencrypted.
Impact
If vulnerability is exploited, the user’s credentials can be read by examining the Web UI login traffic between the switch and the user.
CVE-ID: CVE-2018-13994
CVSS Score: 7.5 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Types: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE-941: Incorrectly Specified Destination in a Communication Channel
Description
An attacker can initiate a web Denial of Service attack by producing more than 120 Web UI connections.
Impact
If vulnerability is exploited, the attacker may deny all web access to the switch, including current connections.
CVE-ID: CVE-2018-13991
CVSS Score: 5.3 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Types: CWE-922: Insecure Storage of Sensitive Information
Description
An attacker may extract the switch’s default private keys from its firmware image.
Impact
An attacker could perform man-in-the-middle attacks or deploy malicious but trusted web sites.
CVE-ID: CVE-2017-3735
CVSS Score: 5.3 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Types: CWE-119: Buffer Errors
Description
The existing switch security library is vulnerable to CVE-2017-3735 DoS.
Impact
When using Web HTTPS settings, it is possible to do an inaccurate read of the certificate, which could also result in an incorrect display of the certificate.
Solution
Remediation for CWE-319 (CVE-2018-13992):
Customers using Phoenix Contact managed FL SWITCH devices are recommended to enable HTTP security.
Remediation for CWE-352 (CVE-2018-13993), CWE-307 (CVE-2018-13990), CWE-400 (CVE-2018-13994), CWE-922 (CVE-2018-13991), CWE-119 (CVE-2017-3735)
Customers using Phoenix Contact managed FL SWITCH devices with affected firmware versions are recommended to update the firmware to version 1.35 or higher which fixes these vulnerabilities. The updated firmware may be downloaded from the managed switch product page on the Phoenix Contact website:
Article No. |
Model |
Updated Firmware |
2891033 |
FL SWITCH 3004T-FX |
|
2891034 |
FL SWITCH 3004T-FX ST |
|
2891030 |
FL SWITCH 3005 |
|
2891032 |
FL SWITCH 3005T |
|
2891036 |
FL SWITCH 3006T-2FX |
|
2891060 |
FL SWITCH 3006T-2FX SM |
|
2891037 |
FL SWITCH 3006T-2FX ST |
|
2891031 |
FL SWITCH 3008 |
|
2891035 |
FL SWITCH 3008T |
|
2891120 |
FL SWITCH 3012E-2FX |
|
2891119 |
FL SWITCH 3012E-2FX SM |
|
2891067 |
FL SWITCH 3012E-2SFX |
|
2891058 |
FL SWITCH 3016 |
|
2891066 |
FL SWITCH 3016E |
|
2891059 |
FL SWITCH 3016T |
|
1026924 |
FL SWITCH 4000T-4POE-1SFP |
|
1026923 |
FL SWITCH 4000T-8POE-2SFP |
|
1026922 |
FL SWITCH 4004T-8POE-4SFP |
|
2891160 |
FL SWITCH 4008T-2GT-3FX SM |
|
2891061 |
FL SWITCH 4008T-2GT-4FX SM |
|
2891062 |
FL SWITCH 4008T-2SFP |
|
2891063 |
FL SWITCH 4012T-2GT-2FX |
|
2891161 |
FL SWITCH 4012T-2GT-2FX ST |
|
2891104 |
FL SWITCH 4800E-24FX SM-4GC |
|
2891102 |
FL SWITCH 4800E-24FX-4GC |
|
2891073 |
FL SWITCH 4808E-16FX LC-4GC |
|
2891074 |
FL SWITCH 4808E-16FX SM LC-4GC |
|
2891086 |
FL SWITCH 4808E-16FX SM ST-4GC |
|
2891080 |
FL SWITCH 4808E-16FX SM-4GC |
|
2891085 |
FL SWITCH 4808E-16FX ST-4GC |
|
2891079 |
FL SWITCH 4808E-16FX-4GC |
|
2891072 |
FL SWITCH 4824E-4GC |
Reported by
Theses vulnerabilities have been discovered by Evgeniy Druzhinin, Ilya Karpov and Georgy Zaytsev (Positive Technologies).
PHOENIX CONTACT reported these vulnerabilities to CERT@VDE.