Share: Email | Twitter

ID

VDE-2017-006

Published

2018-01-10 10:36 (CET)

Last update

2018-01-10 10:36 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2891033 FL SWITCH 3004T-FX < 1.33
2891034 FL SWITCH 3004T-FX ST < 1.33
2891030 FL SWITCH 3005 < 1.33
2891032 FL SWITCH 3005T < 1.33
2891036 FL SWITCH 3006T-2FX < 1.33
2891060 FL SWITCH 3006T-2FX SM < 1.33
2891037 FL SWITCH 3006T-2FX ST < 1.33
2891031 FL SWITCH 3008 < 1.33
2891035 FL SWITCH 3008T < 1.33
2891120 FL SWITCH 3012E-2FX < 1.33
2891119 FL SWITCH 3012E-2FX SM < 1.33
2891067 FL SWITCH 3012E-2SFX < 1.33
2891058 FL SWITCH 3016 < 1.33
2891066 FL SWITCH 3016E < 1.33
2891059 FL SWITCH 3016T < 1.33
2891162 FL SWITCH 4000T-8POE-2SFP-R < 1.33
2891160 FL SWITCH 4008T-2GT-3FX SM < 1.33
2891061 FL SWITCH 4008T-2GT-4FX SM < 1.33
2891062 FL SWITCH 4008T-2SFP < 1.33
2891063 FL SWITCH 4012T 2GT 2FX < 1.33
2891161 FL SWITCH 4012T-2GT-2FX ST < 1.33
2891102 FL SWITCH 4800E-24FX-4GC < 1.33
2891104 FL SWITCH 4800E-24FX SM-4GC < 1.33
2891079 FL SWITCH 4808E-16FX-4GC < 1.33
2891073 FL SWITCH 4808E-16FX LC-4GC < 1.33
2891080 FL SWITCH 4808E-16FX SM-4GC < 1.33
2891074 FL SWITCH 4808E-16FX SM LC-4GC < 1.33
2891086 FL SWITCH 4808E-16FX SM ST-4GC < 1.33
2891085 FL SWITCH 4808E-16FX ST-4GC < 1.33
2891072 FL SWITCH 4824E-4GC < 1.33

Summary

PHOENIX CONTACT FL SWITCH 3xxx series, FL SWITCH 4xxx series, and FL SWITCH 48xx series products running firmware version 1.0 to 1.32 allow unauthenticated users with network access to gain administrative privileges (CVE-2017-16743) and expose information to unauthenticated users in Monitor Mode (CVE-2017-16741).

Vulnerabilities



Last Update
Sept. 22, 2019, 10:05 a.m.
Weakness
Improper Authorization (CWE-285)
Summary
An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device.
Last Update
Sept. 22, 2019, 10:05 a.m.
Weakness
Information Exposure (CWE-200)
Summary
An Information Exposure issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to use Monitor Mode on the device to read diagnostic information.

Impact

CVE-2017-16743: web-service authentication bypass, improper authorization (CWE-285)

By crafting HTTP Set-Cookie and POST requests, an unauthenticated attacker with network access may bypass the web-service authentication and gain administrative privileges on the managed switch devices.

CVE-2017-16741: information exposure (CWE-200)

Any user with network access to a managed switch device may use Monitor Mode to read diagnostic information from the device's web interface without prior authentication in the web GUI. This includes information about model, subnet mask, uptime, and utilisation.

Solution

Customers using PHOENIX CONTACT FL SWITCH 3xxx series, FL SWITCH 4xxx series and FL SWITCH 48xx series devices with firmware versions up to 1.32 are recommended to update to firmware version 1.33 or higher, which fixes these vulnerabilities. The updated firmware may be downloaded from the following managed switch product pages on the vendor's website:

Article No.

Model Updated Firmware
2891030 FL SWITCH 3005 http://www.phoenixcontact.net/qr/2891030/firmware_update
2891032 FL SWITCH 3005T http://www.phoenixcontact.net/qr/2891032/firmware_update
2891033 FL SWITCH 3004T-FX http://www.phoenixcontact.net/qr/2891033/firmware_update
2891034 FL SWITCH 3004T-FX ST http://www.phoenixcontact.net/qr/2891034/firmware_update
2891031 FL SWITCH 3008 http://www.phoenixcontact.net/qr/2891031/firmware_update
2891035 FL SWITCH 3008T http://www.phoenixcontact.net/qr/2891035/firmware_update
2891036 FL SWITCH 3006T-2FX http://www.phoenixcontact.net/qr/2891036/firmware_update
2891037 FL SWITCH 3006T-2FX ST http://www.phoenixcontact.net/qr/2891037/firmware_update
2891067 FL SWITCH 3012E-2SFX http://www.phoenixcontact.net/qr/2891067/firmware_update
2891066 FL SWITCH 3016E http://www.phoenixcontact.net/qr/2891066/firmware_update
2891058 FL SWITCH 3016 http://www.phoenixcontact.net/qr/2891058/firmware_update
2891059 FL SWITCH 3016T http://www.phoenixcontact.net/qr/2891059/firmware_update
2891060 FL SWITCH 3006T-2FX SM http://www.phoenixcontact.net/qr/2891060/firmware_update
2891062 FL SWITCH 4008T-2SFP http://www.phoenixcontact.net/qr/2891062/firmware_update
2891061 FL SWITCH 4008T-2GT-4FX SM http://www.phoenixcontact.net/qr/2891061/firmware_update
2891160 FL SWITCH 4008T-2GT-3FX SM http://www.phoenixcontact.net/qr/2891160/firmware_update
2891073 FL SWITCH 4808E-16FX LC-4GC http://www.phoenixcontact.net/qr/2891073/firmware_update
2891080 FL SWITCH 4808E-16FX SM-4GC http://www.phoenixcontact.net/qr/2891080/firmware_update
2891086 FL SWITCH 4808E-16FX SM ST-4GC http://www.phoenixcontact.net/qr/2891086/firmware_update
2891085 FL SWITCH 4808E-16FX ST-4GC http://www.phoenixcontact.net/qr/2891085/firmware_update
2891079 FL SWITCH 4808E-16FX-4GC http://www.phoenixcontact.net/qr/2891079/firmware_update
2891074 FL SWITCH 4808E-16FX SM LC-4GC http://www.phoenixcontact.net/qr/2891074/firmware_update
2891063 FL SWITCH 4012T 2GT 2FX http://www.phoenixcontact.net/qr/2891063/firmware_update
2891161 FL SWITCH 4012T-2GT-2FX ST http://www.phoenixcontact.net/qr/2891161/firmware_update
2891072 FL SWITCH 4824E-4GC http://www.phoenixcontact.net/qr/2891072/firmware_update
2891102 FL SWITCH 4800E-24FX-4GC http://www.phoenixcontact.net/qr/2891102/firmware_update
2891104 FL SWITCH 4800E-24FX SM-4GC http://www.phoenixcontact.net/qr/2891104/firmware_update
2891120 FL SWITCH 3012E-2FX http://www.phoenixcontact.net/qr/2891120/firmware_update
2891119 FL SWITCH 3012E-2FX SM http://www.phoenixcontact.net/qr/2891119/firmware_update
2891162 FL SWITCH 4000T-8POE-2SFP-R please contact your local customer service

Reported by

Ilya Karpov and Evgeniy Druzhinin (Positive Technologies) reported these vulnerabilities to PHOENIX CONTACT.