PHOENIX CONTACT : Security Advisory for FL COMSERVER UNI

A Denial of Service vulnerability was discovered in firmware V2.40 of FL COMSERVER UNI products.

VDE-2021-022 (2021-06-23 14:14 UTC+0200)

CVE Identifier

CVE-2021-21002

Affected Vendors

Phoenix Contact

Affected Products

Product number Product name Firmware version
2313452 FL COMSERVER UNI 232/422/485 < 2.40
2904817 FL COMSERVER UNI 232/422/485-T < 2.40

Summary

When the communication partner sends an invalid Modbus exception response to the FL COMSERVER UNI as a query, the Modbus communication stops, and the device will be unresponsive for some minutes before the functionality is fully restored (CWE-772).

Impact

An attacker may use this vulnerability to execute a Denial of Service (DoS) attack.

Solution

Remediation

PHOENIX CONTACT recommends affected users to upgrade to the latest firmware version which is available for download.

Product number Product name Firmware version
2313452 FL COMSERVER UNI 232/422/485 2.41
2904817 FL COMSERVER UNI 232/422/485-T 2.41

Reported by

This vulnerability was found by Petri Tuomio and reported to PHOENIX CONTACT by Waertsilae PSIRT.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.