|Article No°||Product Name||Affected Version(s)|
|1153079||FL MGUARD 1102||<= 1.5.2|
|1153078||FL MGUARD 1105||<= 1.5.2|
|2702547||FL MGUARD CENTERPORT||<= 8.8.5|
|2702820||FL MGUARD CENTERPORT VPN-1000||<= 8.8.5|
|2702884||FL MGUARD CORE TX||<= 8.8.5|
|2702831||FL MGUARD CORE TX VPN||<= 8.8.5|
|2700967||FL MGUARD DELTA TX/TX||<= 8.8.5|
|2700968||FL MGUARD DELTA TX/TX VPN||<= 8.8.5|
|2981974||FL MGUARD DM UNLIMITED||<= 22.214.171.124|
|2700197||FL MGUARD GT/GT||<= 8.8.5|
|2700198||FL MGUARD GT/GT VPN||<= 8.8.5|
|2701274||FL MGUARD PCI4000||<= 8.8.5|
|2701275||FL MGUARD PCI4000 VPN||<= 8.8.5|
|1073944||FL MGUARD PCI4000 VPN/K2||<= 8.8.5|
|2701277||FL MGUARD PCIE4000||<= 8.8.5|
|2701278||FL MGUARD PCIE4000 VPN||<= 8.8.5|
|1073940||FL MGUARD PCIE4000 VPN/K2||<= 8.8.5|
|2702139||FL MGUARD RS2000 TX/TX-B||<= 8.8.5|
|2700642||FL MGUARD RS2000 TX/TX VPN||<= 8.8.5|
|2701875||FL MGUARD RS2005 TX VPN||<= 8.8.5|
|2700634||FL MGUARD RS4000 TX/TX||<= 8.8.5|
|2702470||FL MGUARD RS4000 TX/TX-M||<= 8.8.5|
|2702259||FL MGUARD RS4000 TX/TX-P||<= 8.8.5|
|2200515||FL MGUARD RS4000 TX/TX VPN||<= 8.8.5|
|1053403||FL MGUARD RS4000 TX/TX VPN/K1||<= 8.8.5|
|1073943||FL MGUARD RS4000 VPN/K2||<= 8.8.5|
|2701876||FL MGUARD RS4004 TX/DTX||<= 8.8.5|
|2701877||FL MGUARD RS4004 TX/DTX VPN||<= 8.8.5|
|2700640||FL MGUARD SMART2||<= 8.8.5|
|2700639||FL MGUARD SMART2 VPN||<= 8.8.5|
|1053405||FL MGUARD SMART2 VPN/K1||<= 8.8.5|
|2702899||FL WLAN 1010||<= 2.70|
|2702900||FL WLAN 1011||<= 2.70|
|2702534||FL WLAN 1100||<= 2.70|
|2702538||FL WLAN 1101||<= 2.70|
|1119246||FL WLAN 2010||<= 2.70|
|1119248||FL WLAN 2011||<= 2.70|
|2702535||FL WLAN 2100||<= 2.70|
|2702540||FL WLAN 2101||<= 2.70|
|2700718||FL WLAN 5100||<= 3.21|
|2701093||FL WLAN 5101||<= 3.21|
|2701850||FL WLAN 5102||<= 3.21|
|1043193||FL WLAN 5110||<= 3.21|
|1043201||FL WLAN 5111||<= 3.21|
|2903441||TC MGUARD RS2000 3G VPN||<= 8.8.5|
|1010464||TC MGUARD RS2000 4G ATT VPN||<= 8.8.5|
|2903588||TC MGUARD RS2000 4G VPN||<= 8.8.5|
|1010462||TC MGUARD RS2000 4G VZW VPN||<= 8.8.5|
|2903440||TC MGUARD RS4000 3G VPN||<= 8.8.5|
|1010463||TC MGUARD RS4000 4G ATT VPN||<= 8.8.5|
|2903586||TC MGUARD RS4000 4G VPN||<= 8.8.5|
|1010461||TC MGUARD RS4000 4G VZW VPN||<= 8.8.5|
FL MGUARD and TC MGUARD devices are affected by a possible infinite loop within a OpenSSL library method for parsing elliptic curve parameters. This method is used on parsing cryptographic certificates that contain elliptic curve public keys in compressed form, which may occur on:
Attackers could try to exploit the vulnerability from remote.
For the mGuard Device Manager only the mdm Installer for Windows is affected.
UPDATE A: Added FL MGUARD 1102 and FL MGUARD 1105:
On FL MGUARD 1102 and FL MGUARD 1105 with mGuardNT 1.5.2 and older, the device can
be affected through an adapted certificate. This can occur on connection with a remote logging
server, configured for certificate authentication, or an remote authentication server at certificate
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
By sending a crafted certificate, attackers may trigger an infinite loop in the receiving service. This may cause the service to become unavailable. Additionally, the availability of other services may be reduced due to high CPU load.
FL MGUARD and TC MGUARD may be vulnerable in the following setups:
FL WLAN may be vulnerable in the following setup:
The services can be vulnerable, even when they are not configured to use elliptic curve cryptography explicitly.
To reduce the possibility of an attack, affected functionality could be deactivated or used only in a way that it is not exposed on untrusted interfaces.
This vulnerability is fixed in firmware version 8.8.6. We strongly recommend all affected FL MGUARD and TC MGUARD users to upgrade to this or a later version.
PHOENIX CONTACT strongly recommends upgrading FL MGUARD DM UNLIMITED to version 126.96.36.199 or higher, which fixes this vulnerability.
For FL WLAN devices the vulnerability will be fixed in the next regular release. A release date is not yet defined.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.