PHOENIX CONTACT Advisory for mGuard products

VDE-2018-001 (2018-01-30 09:01 UTC+0100)

CVE Identifier

CVE-2018-5441

Affected Vendors

PHOENIX CONTACT, Innominate Security Technologies

Affected Products

mGuard firmware version 7.2 to 8.6.0

Vulnerability Type

Improper Validation of Integrity Check Value (CWE - 354)

Summary

The integrity of the mGuard firmware atomic update process cannot be guaranteed under all circumstances.

The mGuard atomic update mechanism relies on internal checksums for the integrity verification of some portions of the update packages. The verification of these internal checksums may not always be performed correctly.

Impact

The mGuard only allows the installation of firmware updates digitally signed by Phoenix Contact (Innominate). The atomic update mechanism that was introduced with mGuard 7.2.0 to support the current generation of devices relies on internal checksums for the verification of the internal integrity of some portions of the update packages. As the verification may not always be performed correctly, an attacker might modify firmware update packages.

This vulnerability is present in all mGuard releases since 7.2.0 on the listed devices but does not affect the current mGuard 8.6.1 release.

Firmware images used to completely flash the device are not affected by this vulnerability.

Solution

We strongly advise all mGuard users to upgrade to the firmware version 8.6.1.

Also affected are discontinued mGuard products from PHOENIX CONTACT and Innominate AG running firmware version 7.2.0 or above.

2702547 FL MGUARD CENTERPORT http://www.phoenixcontact.net/qr/2702547/firmware_update
2700967 FL MGUARD DELTA TX/TX http://www.phoenixcontact.net/qr/2700967/firmware_update
2700968 FL MGUARD DELTA TX/TX VPN http://www.phoenixcontact.net/qr/2700968/firmware_update
2700197 FL MGUARD GT/GT http://www.phoenixcontact.net/qr/2700197/firmware_update
2700198 FL MGUARD GT/GT VPN http://www.phoenixcontact.net/qr/2700198/firmware_update
2701275 FL MGUARD PCI4000 VPN http://www.phoenixcontact.net/qr/2701275/firmware_update
2701278 FL MGUARD PCIE4000 VPN http://www.phoenixcontact.net/qr/2701278/firmware_update
2700642 FL MGUARD RS2000 TX/TX VPN http://www.phoenixcontact.net/qr/2700642/firmware_update
2702139 FL MGUARD RS2000 TX/TX-B http://www.phoenixcontact.net/qr/2702139/firmware_update
2701875 FL MGUARD RS2005 TX VPN http://www.phoenixcontact.net/qr/2701875/firmware_update
2700634 FL MGUARD RS4000 TX/TX http://www.phoenixcontact.net/qr/2700634/firmware_update
2200515 FL MGUARD RS4000 TX/TX VPN http://www.phoenixcontact.net/qr/2200515/firmware_update
2702465 FL MGUARD RS4000 TX/TX VPN-M http://www.phoenixcontact.net/qr/2702465/firmware_update
2702259 FL MGUARD RS4000 TX/TX-P http://www.phoenixcontact.net/qr/2702259/firmware_update
2701876 FL MGUARD RS4004 TX/DTX http://www.phoenixcontact.net/qr/2701876/firmware_update
2701877 FL MGUARD RS4004 TX/DTX VPN http://www.phoenixcontact.net/qr/2701877/firmware_update
2700640 FL MGUARD SMART2 http://www.phoenixcontact.net/qr/2700640/firmware_update
2700639 FL MGUARD SMART2 VPN http://www.phoenixcontact.net/qr/2700639/firmware_update
2903441 TC MGUARD RS2000 3G VPN http://www.phoenixcontact.net/qr/2903441/firmware_update
2903440 TC MGUARD RS4000 3G VPN http://www.phoenixcontact.net/qr/2903440/firmware_update
2702831 FL MGUARD CORE TX VPN http://www.phoenixcontact.net/qr/2700640/firmware_update
2903588 TC MGUARD RS2000 4G VPN http://www.phoenixcontact.net/qr/2903588/firmware_update
2903586 TC MGUARD RS4000 4G VPN http://www.phoenixcontact.net/qr/2903586/firmware_update

 

SHA-512 Checksums 

Update_8.6.1_MPC.zip

5672E68B9062EEA634AB5BC9424B40EFF587A11C132FB3018B8E0565A3A01C6F9A3DCAE13E0B47683BDC734D1B1C56AE3998C65BBC9576EEC36F6340CB1DB053

Update_8.6.1_X86.zip

7FED3804E8B934E83BA9B42C41EE12EA380A1B4D7734B91ECA4C957E3CFB590C9A3E764EC13F02A84938D2EB4AF5224F13E8D73DB565140AC670B79144C0AB88

Update_8.6.1_TC3G_MPC.zip

DB7294FE40DEE2F6C85C7DF747520F26C7FDA9FDAD52F0CEED19F8370BC48CDF428DEB8B29A9C41B741264229213D4C65E6D1481396E3F2513F72DEBF1CB2947

Update_8.6.1_TC4G_MPC.zip

34EB967764EBA936BE1A310AA77DCE9D44D3ECE6E07A353928723C387AA5FC4768B9E4DA446FB0568ADE9F928E18E544EE9EA524BE7499CE016A746E57623C66

mguard-firmware-repositories-8.6.1_mpc.zip

29C9276DD44FB315F250376C4DDAF6F93B5CC4512AD3F006FC0B62CD85125D8DFFB57897BED0EB3B0C5B0CF256FF8CF3619F83E96444D88E3FF897BEF859BBF1

mguard-firmware-repositories-8.6.1_x86.zip

D8C73FA959849563DF56607D567F0FFD1F739F2EC3043298A90C424745BCB594165A87938A02B1129F4437E3E444E94E30F8900FB3DD98FBCDD97EA56B9CF200

 

Reported by

PHOENIX CONTACT reported this vulnerability to CERT@VDE.