Share: Email | Twitter

ID

VDE-2020-018

Published

2020-06-02 10:42 (CEST)

Last update

2020-06-02 10:42 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2702547 FL MGUARD CENTERPORT < 8.8.2
2702831 FL MGUARD CORE TX VPN < 8.8.2
2700967 FL MGUARD DELTA TX/TX < 8.8.2
2700968 FL MGUARD DELTA TX/TX VPN < 8.8.2
2700197 FL MGUARD GT/GT < 8.8.2
2700198 FL MGUARD GT/GT VPN < 8.8.2
2701275 FL MGUARD PCI4000 VPN < 8.8.2
1073944 FL MGUARD PCI4000 VPN/K2 < 8.8.2
2701278 FL MGUARD PCIE4000 VPN < 8.8.2
1073940 FL MGUARD PCIE4000 VPN/K2 < 8.8.2
2702139 FL MGUARD RS2000 TX/TX-B < 8.8.2
2700642 FL MGUARD RS2000 TX/TX VPN < 8.8.2
2701875 FL MGUARD RS2005 TX VPN < 8.8.2
2700634 FL MGUARD RS4000 TX/TX < 8.8.2
2702259 FL MGUARD RS4000 TX/TX-P < 8.8.2
2200515 FL MGUARD RS4000 TX/TX VPN < 8.8.2
1053403 FL MGUARD RS4000 TX/TX VPN/K1 < 8.8.2
2702465 FL MGUARD RS4000 TX/TX VPN-M < 8.8.2
1073943 FL MGUARD RS4000 VPN/K2 < 8.8.2
2701876 FL MGUARD RS4004 TX/DTX < 8.8.2
2701877 FL MGUARD RS4004 TX/DTX VPN < 8.8.2
2700640 FL MGUARD SMART2 < 8.8.2
2700639 FL MGUARD SMART2 VPN < 8.8.2
1053405 FL MGUARD SMART2 VPN/K1 < 8.8.2
2702886 TC CLOUD CLIENT 1002-4G < 2.03.19
2702888 TC CLOUD CLIENT 1002-4G ATT < 2.03.19
2702887 TC CLOUD CLIENT 1002-4G VZW < 2.03.19
2903441 TC MGUARD RS2000 3G VPN < 8.8.2
1010464 TC MGUARD RS2000 4G ATT VPN < 8.8.2
2903588 TC MGUARD RS2000 4G VPN < 8.8.2
1010462 TC MGUARD RS2000 4G VZW VPN < 8.8.2
2903440 TC MGUARD RS4000 3G VPN < 8.8.2
1010463 TC MGUARD RS4000 4G ATT VPN < 8.8.2
2903586 TC MGUARD RS4000 4G VPN < 8.8.2
1010461 TC MGUARD RS4000 4G VZW VPN < 8.8.2
2702529 TC ROUTER 2002T-3G < 2.05.5
2702531 TC ROUTER 2002T-3G < 2.05.5
2702528 TC ROUTER 3002T-4G < 2.05.5
2702530 TC ROUTER 3002T-4G < 2.05.5
2702533 TC ROUTER 3002T-4G ATT < 2.05.5
2702532 TC ROUTER 3002T-4G VZW < 2.05.5

Summary

FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices are affected by a buffer overflow vulnerability within the PPP service.

The PPP service is not active by default, but is used commonly at TC ROUTER, TC CLOUD CLIENT.
It is also running in the following FL MGUARD and TC MGUARD configurations:

• Mobile data connection
• Router mode “Modem”
• Router mode “PPPoE”
• L2TP over IPsec

Malicious PPP peers could try to exploit the vulnerability from remote.


Weakness

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')  (CWE-120) 

Summary

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.


Impact

Attackers may either crash the PPP service or execute code with system permissions.

Solution

PHOENIX CONTACT strongly recommends updating the devices to the latest firmware if the devices are used in configurations where PPPD is activated.

Article no
Article
Affected versions
Current version
2200515 FL MGUARD RS4000 TX/TX VPN < 8.8.2 download
2700197 FL MGUARD GT/GT < 8.8.2 download
2700198 FL MGUARD GT/GT VPN < 8.8.2 download
2700634 FL MGUARD RS4000 TX/TX < 8.8.2 download
2700639 FL MGUARD SMART2 VPN < 8.8.2 download
2700640 FL MGUARD SMART2 < 8.8.2 download
2700642 FL MGUARD RS2000 TX/TX VPN < 8.8.2 download
2700967 FL MGUARD DELTA TX/TX < 8.8.2 download
2700968 FL MGUARD DELTA TX/TX VPN < 8.8.2 download
2701275 FL MGUARD PCI4000 VPN < 8.8.2 download
2701278 FL MGUARD PCIE4000 VPN < 8.8.2 download
2701875 FL MGUARD RS2005 TX VPN < 8.8.2 download
2701876 FL MGUARD RS4004 TX/DTX < 8.8.2 download
2701877 FL MGUARD RS4004 TX/DTX VPN < 8.8.2 download
2702259 FL MGUARD RS4000 TX/TX-P < 8.8.2 download
2702465 FL MGUARD RS4000 TX/TX VPN-M < 8.8.2 download
2702547 FL MGUARD CENTERPORT < 8.8.2 download
2702831 FL MGUARD CORE TX VPN < 8.8.2 download
2702139 FL MGUARD RS2000 TX/TX-B < 8.8.2 download
1053405 FL MGUARD SMART2 VPN/K1 < 8.8.2 download
1053403 FL MGUARD RS4000 TX/TX VPN/K1 < 8.8.2 download
1073940 FL MGUARD PCIE4000 VPN/K2 < 8.8.2 download
1073943 FL MGUARD RS4000 VPN/K2 < 8.8.2 download
1073944 FL MGUARD PCI4000 VPN/K2 < 8.8.2 download
2903441 TC MGUARD RS2000 3G VPN < 8.8.2 download
2903588 TC MGUARD RS2000 4G VPN < 8.8.2 download
1010462 TC MGUARD RS2000 4G VZW VPN < 8.8.2 download
1010464 TC MGUARD RS2000 4G ATT VPN < 8.8.2 download
2903440 TC MGUARD RS4000 3G VPN < 8.8.2 download
2903586 TC MGUARD RS4000 4G VPN < 8.8.2 download
1010461 TC MGUARD RS4000 4G VZW VPN < 8.8.2 download
1010463 TC MGUARD RS4000 4G ATT VPN < 8.8.2 download
2702528 TC ROUTER 3002T-4G < 2.05.5 download
2702530 TC ROUTER 3002T-4G < 2.05.5 download
2702529 TC ROUTER 2002T-3G < 2.05.5 download
2702531 TC ROUTER 2002T-3G < 2.05.5 download
2702532 TC ROUTER 3002T-4G VZW < 2.05.5 download
2702533 TC ROUTER 3002T-4G ATT < 2.05.5 download
2702886 TC CLOUD CLIENT 1002-4G < 2.03.19 download
2702887 TC CLOUD CLIENT 1002-4G VZW < 2.03.19 download
2702888 TC CLOUD CLIENT 1002-4G ATT < 2.03.19 download

And all Innominate derivates of FL MGUARD products. 

Reported by

PHOENIX CONTACT reported this vulnerability to CERT@VDE