PHOENIX CONTACT: mGuard products missing initialization of resource

LAN ports of Phoenix Contact mGuard products get functional after reboot even if they are disabled in the device configuration

VDE-2020-046 (2020-12-17 11:00 UTC+0200)

CVE Identifier

CVE-12523

Severity

5.4 (CVSS:3.0:AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

Affected Vendors

Phoenix Contact, Innominate

Affected Products

Article no	Article	Affected versions	Fixed version
1010461	TC MGUARD RS4000 4G VZW VPN	< 8.8.3	Download
1010463	TC MGUARD RS4000 4G ATT VPN	< 8.8.3	Download
2701876	FL MGUARD RS4004 TX/DTX	< 8.8.3	Download
2701877	FL MGUARD RS4004 TX/DTX VPN	< 8.8.3	Download
2903440	TC MGUARD RS4000 3G VPN	< 8.8.3	Download
2903586	TC MGUARD RS4000 4G VPN	< 8.8.3	Download
	Innominate mGuard rs4000 4TX/TX	< 8.8.3	Download
	Innominate mGuard rs4000 4TX/TX VPN	< 8.8.3	Download
	Innominate mGuard rs4000 4TX/3G/TX VPN <	< 8.8.3	Download

Vulnerability Type

Missing Initialization of Resource (CWE - 909)

Summary

For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).

Impact

After a reboot, affected mGuard devices may unexpectedly receive or send data on disabled switch ports. This includes the unexpected provision of administrative interfaces. Attackers may try to access confidential data or compromise the availability of mGuard services by flooding or resource exhaustion.

Solution

Temporary Fix / Mitigation

Instead of deactivating by configuration, network cables should be detached from affected switch
ports.

Remediation

PHOENIX CONTACT recommends all mGuard users to upgrade to the firmware version 8.8.3.

Reported by

This vulnerability was discovered by SMST Designers & Constructors B.V.