Share: Email | Twitter

ID

VDE-2019-006

Published

2019-03-25 12:40 (CET)

Last update

2019-03-25 12:40 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2989378 FL NAT SMCS 8TX all versions
2989365 FL NAT SMN 8TX all versions
2702443 FL NAT SMN 8TX-M all versions
2989352 FL NAT SMN 8TX-M-DMG all versions

Summary

After login the source IP is used as the session identifier, so that users sharing the same source IP are able to gain full authenticated access to the WEB-UI.

The access attempt will only be successful if the former authorized session has not been terminated by the authorized user or by session timeout.


Last Update:

Feb. 18, 2020, 8:23 a.m.

Weakness

Improper Access Control  (CWE-284) 

Summary

An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier.

Impact

If an unauthorized user manages to get access as described above, he gains full access to the device configuration.

Solution

Customers using Phoenix Contact FL NAT SMx devices are recommended to operate the devices in closed networks or protected with a suitable firewall.
For detailed information on our recommendations for measures to protect network-capable devices, please refer to the application note:
https://www.phoenixcontact.com/assets/downloads_ed/local_pc/web_dwl_technical_info/ah_en_ industrial_security_107913_en_01.pdf

To protect the device from an attacker who has gained access to the closed network, or if there is a possibility that multiple users might share a VPN connection with a single endpoint IP, it might be considered to:

log off from the WEB-UI immediately after administration
disable the WEB-UI and use configuration access via SNMP instead

Reported by

This vulnerability was discovered by Maxim Rupp (rupp.it)