PHOENIX CONTACT: mGuard products missing initialization of resource
VDE-2020-046 (2020-12-17 10:00 UTC+0100)
CVE Identifier
CVE-12523Affected Vendors
Phoenix Contact, Innominate
Affected Products
Article no | Article | Affected versions | Fixed version |
1010461 | TC MGUARD RS4000 4G VZW VPN | < 8.8.3 | Download |
1010463 | TC MGUARD RS4000 4G ATT VPN | < 8.8.3 | Download |
2701876 | FL MGUARD RS4004 TX/DTX | < 8.8.3 | Download |
2701877 | FL MGUARD RS4004 TX/DTX VPN | < 8.8.3 | Download |
2903440 | TC MGUARD RS4000 3G VPN | < 8.8.3 | Download |
2903586 | TC MGUARD RS4000 4G VPN | < 8.8.3 | Download |
Innominate mGuard rs4000 4TX/TX | < 8.8.3 | Download | |
Innominate mGuard rs4000 4TX/TX VPN | < 8.8.3 | Download | |
Innominate mGuard rs4000 4TX/3G/TX VPN < | < 8.8.3 | Download |
Vulnerability Type
Missing Initialization of Resource (CWE - 909)Summary
For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).
Impact
After a reboot, affected mGuard devices may unexpectedly receive or send data on disabled switch ports. This includes the unexpected provision of administrative interfaces. Attackers may try to access confidential data or compromise the availability of mGuard services by flooding or resource exhaustion.
Solution
Temporary Fix / Mitigation
Instead of deactivating by configuration, network cables should be detached from affected switch
ports.
Remediation
PHOENIX CONTACT recommends all mGuard users to upgrade to the firmware version 8.8.3.
Reported by
This vulnerability was discovered by SMST Designers & Constructors B.V.