PHOENIX CONTACT Multiple Vulnerabilities in FL SWITCH 3xxx, 4xxx and 48xx

VDE-2019-001 (2019-01-23 14:02 UTC+0200)

PHOENIX CONTACT

FL SWITCH 3xxx, 4xxx and 48xx

Multiple vulnerabilities for FL SWITCH have been identified in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx version 1.0 to 1.34. 

Vulnerabilities (sorted by severity)

CVE-ID: CVE-2018-13993
CVSS Score: 8.8 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vulnerability Type: CWE-352 Cross-site Request Forgery (CSRF)

Description
Additional Cross-site Request Forgery (CSRF) protections are required to be implemented in the Web UI. This attack tricks may trick the web browser into transmitting unwanted commands.

Impact
If vulnerability is exploited, an attacker could persuade a user to follow a malicious Web UI link. This could allow the attacker to submit arbitrary requests to the affected software via the user’s web browser with the user’s privileges.

CVE-ID: CVE-2018-13990
CVSS Score: 8.6 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)
Vulnerability Type: CWE-307 Improper Restriction of Excessive Authentication Attempts

Description
The switch needs an extended login time-out feature to prevent high-speed automated username and password combination guessing. An attacker may gain access by such a brute forcing of usernames and passwords.

Impact 
If vulnerability is exploited, the attacker can gain access to the switch by brute forcing Web UI service passwords.

CVE-ID: CVE-2018-13992
CVSS Score: 8.2 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) 
Vulnerability Type: CWE-319: Cleartext Transmission of Sensitive Information

Description
The default setting of the Web UI (HTTP) allows user credentials to be transmitted unencrypted.

Impact 
If vulnerability is exploited, the user’s credentials can be read by examining the Web UI login traffic between the switch and the user.

CVE-ID: CVE-2018-13994
CVSS Score: 7.5 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Types: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
                                     CWE-941: Incorrectly Specified Destination in a Communication Channel

Description
An attacker can initiate a web Denial of Service attack by producing more than 120 Web UI connections.

Impact
If vulnerability is exploited, the attacker may deny all web access to the switch, including current connections.

CVE-ID: CVE-2018-13991
CVSS Score: 5.3 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Types: CWE-922: Insecure Storage of Sensitive Information

Description
An attacker may extract the switch’s default private keys from its firmware image.

Impact
An attacker could perform man-in-the-middle attacks or deploy malicious but trusted web sites.

CVE-ID: CVE-2017-3735
CVSS Score: 5.3 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Types: CWE-119: Buffer Errors

Description
The existing switch security library is vulnerable to CVE-2017-3735 DoS.

Impact
When using Web HTTPS settings, it is possible to do an inaccurate read of the certificate, which could also result in an incorrect display of the certificate.