Share: Email | Twitter

ID

VDE-2018-001

Published

2018-01-30 10:00 (CET)

Last update

2018-01-30 10:00 (CET)

Vendor(s)

Innominate Security Technologies
PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2702547 FL MGUARD CENTERPORT 7.2 <= 8.6.0
2702831 FL MGUARD CORE TX VPN 7.2 <= 8.6.0
2700967 FL MGUARD DELTA TX/TX 7.2 <= 8.6.0
2700968 FL MGUARD DELTA TX/TX VPN 7.2 <= 8.6.0
2700197 FL MGUARD GT/GT 7.2 <= 8.6.0
2700198 FL MGUARD GT/GT VPN 7.2 <= 8.6.0
2701275 FL MGUARD PCI4000 VPN 7.2 <= 8.6.0
2701278 FL MGUARD PCIE4000 VPN 7.2 <= 8.6.0
2903441 FL MGUARD RS2000 3G VPN 7.2 <= 8.6.0
2903588 FL MGUARD RS2000 4G VPN 7.2 <= 8.6.0
2702139 FL MGUARD RS2000 TX/TX-B 7.2 <= 8.6.0
2700642 FL MGUARD RS2000 TX/TX VPN 7.2 <= 8.6.0
2701875 FL MGUARD RS2005 TX VPN 7.2 <= 8.6.0
2903440 FL MGUARD RS4000 3G VPN 7.2 <= 8.6.0
2903586 FL MGUARD RS4000 4G VPN 7.2 <= 8.6.0
2700634 FL MGUARD RS4000 TX/TX 7.2 <= 8.6.0
2702259 FL MGUARD RS4000 TX/TX-P 7.2 <= 8.6.0
2200515 FL MGUARD RS4000 TX/TX VPN 7.2 <= 8.6.0
2702465 FL MGUARD RS4000 TX/TX VPN-M 7.2 <= 8.6.0
2701876 FL MGUARD RS4004 TX/DTX 7.2 <= 8.6.0
2701877 FL MGUARD RS4004 TX/DTX VPN 7.2 <= 8.6.0
2700640 FL MGUARD SMART2 7.2 <= 8.6.0
2700639 FL MGUARD SMART2 VPN 7.2 <= 8.6.0

Summary

The integrity of the mGuard firmware atomic update process cannot be guaranteed under all circumstances.

The mGuard atomic update mechanism relies on internal checksums for the integrity verification of some portions of the update packages. The verification of these internal checksums may not always be performed correctly.


Last Update:

Sept. 22, 2019, 10:17 a.m.

Weakness

Improper Input Validation  (CWE-20) 

Summary

An Improper Validation of Integrity Check Value issue was discovered in PHOENIX CONTACT mGuard firmware versions 7.2 to 8.6.0. mGuard devices rely on internal checksums for verification of the internal integrity of the update packages. Verification may not always be performed correctly, allowing an attacker to modify firmware update packages.

Impact

The mGuard only allows the installation of firmware updates digitally signed by Phoenix Contact (Innominate). The atomic update mechanism that was introduced with mGuard 7.2.0 to support the current generation of devices relies on internal checksums for the verification of the internal integrity of some portions of the update packages. As the verification may not always be performed correctly, an attacker might modify firmware update packages.

This vulnerability is present in all mGuard releases since 7.2.0 on the listed devices but does not affect the current mGuard 8.6.1 release.

Firmware images used to completely flash the device are not affected by this vulnerability.

Solution

We strongly advise all mGuard users to upgrade to the firmware version 8.6.1.

Also affected are discontinued mGuard products from PHOENIX CONTACT and Innominate AG running firmware version 7.2.0 or above.

Article N° Model Download Link
2702547 FL MGUARD CENTERPORT download
2700967 FL MGUARD DELTA TX/TX download
2700968 FL MGUARD DELTA TX/TX VPN download
2700197 FL MGUARD GT/GT download
2700198 FL MGUARD GT/GT VPN download
2701275 FL MGUARD PCI4000 VPN download
2701278 FL MGUARD PCIE4000 VPN download
2700642 FL MGUARD RS2000 TX/TX VPN download
2702139 FL MGUARD RS2000 TX/TX-B download
2701875 FL MGUARD RS2005 TX VPN download
2700634 FL MGUARD RS4000 TX/TX download
2200515 FL MGUARD RS4000 TX/TX VPN download
2702465 FL MGUARD RS4000 TX/TX VPN-M download
2702259 FL MGUARD RS4000 TX/TX-P download
2701876 FL MGUARD RS4004 TX/DTX download
2701877 FL MGUARD RS4004 TX/DTX VPN download
2700640 FL MGUARD SMART2 download
2700639 FL MGUARD SMART2 VPN download
2903441 TC MGUARD RS2000 3G VPN download
2903440 TC MGUARD RS4000 3G VPN download
2702831 FL MGUARD CORE TX VPN download
2903588 TC MGUARD RS2000 4G VPN download
2903586 TC MGUARD RS4000 4G VPN download

Checksums

Update_8.6.1_MPC.zip
SHA-512
5672E68B9062EEA634AB5BC9424B40EFF587A11C132FB3018B8E0565A3A01C6F9A3DCAE13E0B47683BDC734D1B1C56AE3998C65BBC9576EEC36F6340CB1DB053
Update_8.6.1_X86.zip
SHA-512
7FED3804E8B934E83BA9B42C41EE12EA380A1B4D7734B91ECA4C957E3CFB590C9A3E764EC13F02A84938D2EB4AF5224F13E8D73DB565140AC670B79144C0AB88
Update_8.6.1_TC3G_MPC.zip
SHA-512
DB7294FE40DEE2F6C85C7DF747520F26C7FDA9FDAD52F0CEED19F8370BC48CDF428DEB8B29A9C41B741264229213D4C65E6D1481396E3F2513F72DEBF1CB2947
mguard-firmware-repositories-8.6.1_mpc.zip
SHA-512
29C9276DD44FB315F250376C4DDAF6F93B5CC4512AD3F006FC0B62CD85125D8DFFB57897BED0EB3B0C5B0CF256FF8CF3619F83E96444D88E3FF897BEF859BBF1
mguard-firmware-repositories-8.6.1_x86.zip
SHA-512
D8C73FA959849563DF56607D567F0FFD1F739F2EC3043298A90C424745BCB594165A87938A02B1129F4437E3E444E94E30F8900FB3DD98FBCDD97EA56B9CF200

Reported by

PHOENIX CONTACT reported this vulnerability to CERT@VDE.