PHOENIX CONTACT : Security Advisory for FL SWITCH SMCS series

Multiple vulnerabilities have been discovered in the current firmware of the PHOENIX CONTACT FL SWITCH SMCS series switches.

VDE-2021-023 (2021-06-23 14:14 UTC+0200)

Affected Vendors

Phoenix Contact

Affected Products

Product number Product name Firmware version
2700996 FL SWITCH SMCS 16TX <= 4.70
2700997 FL SWITCH SMCS 14TX/2FX <= 4.70
2701466 FL SWITCH SMCS 14TX/2FX-SM <= 4.70
2891123 FL SWITCH SMCS 8GT <= 4.70
2891479 FL SWITCH SMCS 6GT/2SFP <= 4.70
2989103 FL SWITCH SMCS 8TX-PN <= 4.70
2989093 FL SWITCH SMCS 4TX-PN <= 4.70
2989226 FL SWITCH SMCS 8TX <= 4.70
2989323 FL SWITCH SMCS 6TX/2SFP <= 4.70
2700290 FL SWITCH SMN 6TX/2POF-PN <= 4.70
2989501 FL SWITCH SMN 8TX-PN <= 4.70
2989543 FL SWITCH SMN 6TX/2FX <= 4.70
2989556 FL SWITCH SMN 6TX/2FX SM <= 4.70
2989365 FL NAT SMN 8TX <= 4.63
2702443 FL NAT SMN 8TX-M <= 4.63

Summary

CVE-ID: CVE-2021- 20003
CWE-ID: CWE-404
CVSS: 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description: Fragmented TCP-Packets may cause a Denial of Service of Web-, SNMP-, and ICMP Echo- service. The switching functionality of the device is not affected.

CVE-ID: CVE-2021- 20004
CWE-ID: CWE-79
CVSS: 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Description: An attacker may insert malicious code via LLDP frames into the web-based management which could then be executed by the client.

CVE-ID: CVE-2021- 20005
CWE-ID: CWE-362
CVSS: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description: If an attacker sends a hand-crafted TCP-Packet with the Urgent-Flag set and the Urgent-Pointer set to 0, the network stack will crash. The device needs to be rebooted afterwards.

Impact

An attacker may use the vulnerabilities described above to provoke a denial of service to defeat certain management functions of the device or use the XSS vulnerability to attack the client PC.

Solution

Temporary Fix / Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection

Reported by

These vulnerabilities have been discovered and reported by Anne Borcherding, Fraunhofer- Institut für Optronik, Systemtechnik und Bildauswertung IOSB.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.