PHOENIX CONTACT: mGuard products missing initialization of resource

LAN ports of Phoenix Contact mGuard products get functional after reboot even if they are disabled in the device configuration

VDE-2020-046 (2020-12-17 11:00 UTC+0200)

CVE Identifier

CVE-12523

Affected Vendors

Phoenix Contact, Innominate

Affected Products

Article no Article Affected versions Fixed version
1010461 TC MGUARD RS4000 4G VZW VPN < 8.8.3 Download
1010463 TC MGUARD RS4000 4G ATT VPN < 8.8.3 Download
2701876 FL MGUARD RS4004 TX/DTX < 8.8.3 Download
2701877 FL MGUARD RS4004 TX/DTX VPN < 8.8.3 Download
2903440 TC MGUARD RS4000 3G VPN < 8.8.3 Download
2903586 TC MGUARD RS4000 4G VPN < 8.8.3 Download
Innominate mGuard rs4000 4TX/TX < 8.8.3 Download
Innominate mGuard rs4000 4TX/TX VPN < 8.8.3 Download
Innominate mGuard rs4000 4TX/3G/TX VPN < < 8.8.3 Download

Summary

For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).

Impact

After a reboot, affected mGuard devices may unexpectedly receive or send data on disabled switch ports. This includes the unexpected provision of administrative interfaces. Attackers may try to access confidential data or compromise the availability of mGuard services by flooding or resource exhaustion.

Solution

Temporary Fix / Mitigation

Instead of deactivating by configuration, network cables should be detached from affected switch
ports.

Remediation

PHOENIX CONTACT recommends all mGuard users to upgrade to the firmware version 8.8.3.

Reported by

This vulnerability was discovered by SMST Designers & Constructors B.V.