PHOENIX CONTACT Multiple Vulnerabilities in FL SWITCH 3xxx, 4xxx and 48xx

This advisory describes multiple vulnerabilities. Please refer to section "impact" for details.

VDE-2019-001 (2019-01-23 14:02 UTC+0200)

Affected Vendors

PHOENIX CONTACT

Affected Products

FL SWITCH 3xxx, 4xxx and 48xx

Vulnerability Type

multiple, see below

Summary

Multiple vulnerabilities for FL SWITCH have been identified in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx version 1.0 to 1.34. 

Impact

Vulnerabilities (sorted by severity)

CVE-ID: CVE-2018-13993
CVSS Score: 8.8 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vulnerability Type: 
CWE-352 Cross-site Request Forgery (CSRF)

Description
Additional Cross-site Request Forgery (CSRF) protections are required to be implemented in the Web UI. This attack tricks may trick the web browser into transmitting unwanted commands.

Impact
If vulnerability is exploited, an attacker could persuade a user to follow a malicious Web UI link. This could allow the attacker to submit arbitrary requests to the affected software via the user’s web browser with the user’s privileges.

 

CVE-ID: CVE-2018-13990
CVSS Score: 
8.6
 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)
Vulnerability Type: 
CWE-307 Improper Restriction of Excessive Authentication Attempts

Description
The switch needs an extended login time-out feature to prevent high-speed automated username and password combination guessing. An attacker may gain access by such a brute forcing of usernames and passwords.

Impact 
If vulnerability is exploited, the attacker can gain access to the switch by brute forcing Web UI service passwords.

 

CVE-ID: CVE-2018-13992
CVSS Score: 
8.2
 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Vulnerability Type:
CWE-319: Cleartext Transmission of Sensitive Information

Description
The default setting of the Web UI (HTTP) allows user credentials to be transmitted unencrypted.

Impact 
If vulnerability is exploited, the user’s credentials can be read by examining the Web UI login traffic between the switch and the user.

 

CVE-ID: CVE-2018-13994
CVSS Score:
 7.5 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Types:
 CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
                                     CWE-941: Incorrectly Specified Destination in a Communication Channel

Description
An attacker can initiate a web Denial of Service attack by producing more than 120 Web UI connections.

Impact
If vulnerability is exploited, the attacker may deny all web access to the switch, including current connections.

 

CVE-ID: CVE-2018-13991
CVSS Score: 
5.3
 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Types:
 CWE-922: Insecure Storage of Sensitive Information

Description
An attacker may extract the switch’s default private keys from its firmware image.

Impact
An attacker could perform man-in-the-middle attacks or deploy malicious but trusted web sites.

 

CVE-ID: CVE-2017-3735
CVSS Score: 
5.3
 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Types:
 CWE-119: Buffer Errors

Description
The existing switch security library is vulnerable to CVE-2017-3735 DoS.

Impact
When using Web HTTPS settings, it is possible to do an inaccurate read of the certificate, which could also result in an incorrect display of the certificate.

 

Solution

Remediation for CWE-319 (CVE-2018-13992):

Customers using Phoenix Contact managed FL SWITCH devices are recommended to enable HTTP security.


Remediation for CWE-352 (CVE-2018-13993), CWE-307 (CVE-2018-13990), CWE-400 (CVE-2018-13994), CWE-922 (CVE-2018-13991), CWE-119 (CVE-2017-3735)

Customers using Phoenix Contact managed FL SWITCH devices with affected firmware versions are recommended to update the firmware to version 1.35 or higher which fixes these vulnerabilities. The updated firmware may be downloaded from the managed switch product page on the Phoenix Contact website:

Article No.

Model

Updated Firmware

2891033

FL SWITCH 3004T-FX            

http://www.phoenixcontact.com/qr/2891033/firmware_update

2891034

FL SWITCH 3004T-FX ST         

http://www.phoenixcontact.com/qr/2891034/firmware_update

2891030

FL SWITCH 3005                

http://www.phoenixcontact.com/qr/2891030/firmware_update

2891032

FL SWITCH 3005T               

http://www.phoenixcontact.com/qr/2891032/firmware_update

2891036

FL SWITCH 3006T-2FX           

http://www.phoenixcontact.com/qr/2891036/firmware_update

2891060

FL SWITCH 3006T-2FX SM        

http://www.phoenixcontact.com/qr/2891060/firmware_update

2891037

FL SWITCH 3006T-2FX ST        

http://www.phoenixcontact.com/qr/2891037/firmware_update

2891031

FL SWITCH 3008                

http://www.phoenixcontact.com/qr/2891031/firmware_update

2891035

FL SWITCH 3008T               

http://www.phoenixcontact.com/qr/2891035/firmware_update

2891120

FL SWITCH 3012E-2FX           

http://www.phoenixcontact.com/qr/2891120/firmware_update

2891119

FL SWITCH 3012E-2FX SM        

http://www.phoenixcontact.com/qr/2891119/firmware_update

2891067

FL SWITCH 3012E-2SFX          

http://www.phoenixcontact.com/qr/2891067/firmware_update

2891058

FL SWITCH 3016                

http://www.phoenixcontact.com/qr/2891058/firmware_update

2891066

FL SWITCH 3016E               

http://www.phoenixcontact.com/qr/2891066/firmware_update

2891059

FL SWITCH 3016T               

http://www.phoenixcontact.com/qr/2891059/firmware_update

1026924

FL SWITCH 4000T-4POE-1SFP

http://www.phoenixcontact.com/qr/1026924/firmware_update

1026923

FL SWITCH 4000T-8POE-2SFP

http://www.phoenixcontact.com/qr/1026923/firmware_update

1026922

FL SWITCH 4004T-8POE-4SFP

http://www.phoenixcontact.com/qr/1026922/firmware_update

2891160

FL SWITCH 4008T-2GT-3FX SM    

http://www.phoenixcontact.com/qr/2891160/firmware_update

2891061

FL SWITCH 4008T-2GT-4FX SM    

http://www.phoenixcontact.com/qr/2891061/firmware_update

2891062

FL SWITCH 4008T-2SFP          

http://www.phoenixcontact.com/qr/2891062/firmware_update

2891063

FL SWITCH 4012T-2GT-2FX       

http://www.phoenixcontact.com/qr/2891063/firmware_update

2891161

FL SWITCH 4012T-2GT-2FX ST    

http://www.phoenixcontact.com/qr/2891161/firmware_update

2891104

FL SWITCH 4800E-24FX SM-4GC   

http://www.phoenixcontact.com/qr/2891104/firmware_update

2891102

FL SWITCH 4800E-24FX-4GC      

http://www.phoenixcontact.com/qr/2891102/firmware_update

2891073

FL SWITCH 4808E-16FX LC-4GC   

http://www.phoenixcontact.com/qr/2891073/firmware_update

2891074

FL SWITCH 4808E-16FX SM LC-4GC

http://www.phoenixcontact.com/qr/2891074/firmware_update

2891086

FL SWITCH 4808E-16FX SM ST-4GC

http://www.phoenixcontact.com/qr/2891086/firmware_update

2891080

FL SWITCH 4808E-16FX SM-4GC   

http://www.phoenixcontact.com/qr/2891080/firmware_update

2891085

FL SWITCH 4808E-16FX ST-4GC   

http://www.phoenixcontact.com/qr/2891085/firmware_update

2891079

FL SWITCH 4808E-16FX-4GC      

http://www.phoenixcontact.com/qr/2891079/firmware_update

2891072

FL SWITCH 4824E-4GC           

http://www.phoenixcontact.com/qr/2891072/firmware_update

 

Reported by

Theses vulnerabilities have been discovered by Evgeniy Druzhinin, Ilya Karpov and Georgy Zaytsev (Positive Technologies).

PHOENIX CONTACT reported these vulnerabilities to CERT@VDE.