VDE-2020-018 | CERT@VDE

2020-06-02 10:42 (CEST) VDE-2020-018

PHOENIX CONTACT: FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT: PPPD vulnerable to CVE-2020-8597

Share: Email | Twitter

ID

VDE-2020-018

Published

2020-06-02 10:42 (CEST)

Last update

2020-06-02 10:42 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
2702547	FL MGUARD CENTERPORT	< 8.8.2
2702831	FL MGUARD CORE TX VPN	< 8.8.2
2700967	FL MGUARD DELTA TX/TX	< 8.8.2
2700968	FL MGUARD DELTA TX/TX VPN	< 8.8.2
2700197	FL MGUARD GT/GT	< 8.8.2
2700198	FL MGUARD GT/GT VPN	< 8.8.2
2701275	FL MGUARD PCI4000 VPN	< 8.8.2
1073944	FL MGUARD PCI4000 VPN/K2	< 8.8.2
2701278	FL MGUARD PCIE4000 VPN	< 8.8.2
1073940	FL MGUARD PCIE4000 VPN/K2	< 8.8.2
2702139	FL MGUARD RS2000 TX/TX-B	< 8.8.2
2700642	FL MGUARD RS2000 TX/TX VPN	< 8.8.2
2701875	FL MGUARD RS2005 TX VPN	< 8.8.2
2700634	FL MGUARD RS4000 TX/TX	< 8.8.2
2702259	FL MGUARD RS4000 TX/TX-P	< 8.8.2
2200515	FL MGUARD RS4000 TX/TX VPN	< 8.8.2
1053403	FL MGUARD RS4000 TX/TX VPN/K1	< 8.8.2
2702465	FL MGUARD RS4000 TX/TX VPN-M	< 8.8.2
1073943	FL MGUARD RS4000 VPN/K2	< 8.8.2
2701876	FL MGUARD RS4004 TX/DTX	< 8.8.2
2701877	FL MGUARD RS4004 TX/DTX VPN	< 8.8.2
2700640	FL MGUARD SMART2	< 8.8.2
2700639	FL MGUARD SMART2 VPN	< 8.8.2
1053405	FL MGUARD SMART2 VPN/K1	< 8.8.2
2702886	TC CLOUD CLIENT 1002-4G	< 2.03.19
2702888	TC CLOUD CLIENT 1002-4G ATT	< 2.03.19
2702887	TC CLOUD CLIENT 1002-4G VZW	< 2.03.19
2903441	TC MGUARD RS2000 3G VPN	< 8.8.2
1010464	TC MGUARD RS2000 4G ATT VPN	< 8.8.2
2903588	TC MGUARD RS2000 4G VPN	< 8.8.2
1010462	TC MGUARD RS2000 4G VZW VPN	< 8.8.2
2903440	TC MGUARD RS4000 3G VPN	< 8.8.2
1010463	TC MGUARD RS4000 4G ATT VPN	< 8.8.2
2903586	TC MGUARD RS4000 4G VPN	< 8.8.2
1010461	TC MGUARD RS4000 4G VZW VPN	< 8.8.2
2702529	TC ROUTER 2002T-3G	< 2.05.5
2702531	TC ROUTER 2002T-3G	< 2.05.5
2702528	TC ROUTER 3002T-4G	< 2.05.5
2702530	TC ROUTER 3002T-4G	< 2.05.5
2702533	TC ROUTER 3002T-4G ATT	< 2.05.5
2702532	TC ROUTER 3002T-4G VZW	< 2.05.5

Summary

FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices are affected by a buffer overflow vulnerability within the PPP service.

The PPP service is not active by default, but is used commonly at TC ROUTER, TC CLOUD CLIENT.
It is also running in the following FL MGUARD and TC MGUARD configurations:

• Mobile data connection
• Router mode “Modem”
• Router mode “PPPoE”
• L2TP over IPsec

Malicious PPP peers could try to exploit the vulnerability from remote.

CVE ID

CVE-2020-8597

Last Update:

June 26, 2020, 1:22 p.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)

Summary

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

Details

nvd.nist.gov

Impact

Attackers may either crash the PPP service or execute code with system permissions.

Solution

PHOENIX CONTACT strongly recommends updating the devices to the latest firmware if the devices are used in configurations where PPPD is activated.

Article no	Article	Affected versions	Current version
2200515	FL MGUARD RS4000 TX/TX VPN	< 8.8.2	download
2700197	FL MGUARD GT/GT	< 8.8.2	download
2700198	FL MGUARD GT/GT VPN	< 8.8.2	download
2700634	FL MGUARD RS4000 TX/TX	< 8.8.2	download
2700639	FL MGUARD SMART2 VPN	< 8.8.2	download
2700640	FL MGUARD SMART2	< 8.8.2	download
2700642	FL MGUARD RS2000 TX/TX VPN	< 8.8.2	download
2700967	FL MGUARD DELTA TX/TX	< 8.8.2	download
2700968	FL MGUARD DELTA TX/TX VPN	< 8.8.2	download
2701275	FL MGUARD PCI4000 VPN	< 8.8.2	download
2701278	FL MGUARD PCIE4000 VPN	< 8.8.2	download
2701875	FL MGUARD RS2005 TX VPN	< 8.8.2	download
2701876	FL MGUARD RS4004 TX/DTX	< 8.8.2	download
2701877	FL MGUARD RS4004 TX/DTX VPN	< 8.8.2	download
2702259	FL MGUARD RS4000 TX/TX-P	< 8.8.2	download
2702465	FL MGUARD RS4000 TX/TX VPN-M	< 8.8.2	download
2702547	FL MGUARD CENTERPORT	< 8.8.2	download
2702831	FL MGUARD CORE TX VPN	< 8.8.2	download
2702139	FL MGUARD RS2000 TX/TX-B	< 8.8.2	download
1053405	FL MGUARD SMART2 VPN/K1	< 8.8.2	download
1053403	FL MGUARD RS4000 TX/TX VPN/K1	< 8.8.2	download
1073940	FL MGUARD PCIE4000 VPN/K2	< 8.8.2	download
1073943	FL MGUARD RS4000 VPN/K2	< 8.8.2	download
1073944	FL MGUARD PCI4000 VPN/K2	< 8.8.2	download
2903441	TC MGUARD RS2000 3G VPN	< 8.8.2	download
2903588	TC MGUARD RS2000 4G VPN	< 8.8.2	download
1010462	TC MGUARD RS2000 4G VZW VPN	< 8.8.2	download
1010464	TC MGUARD RS2000 4G ATT VPN	< 8.8.2	download
2903440	TC MGUARD RS4000 3G VPN	< 8.8.2	download
2903586	TC MGUARD RS4000 4G VPN	< 8.8.2	download
1010461	TC MGUARD RS4000 4G VZW VPN	< 8.8.2	download
1010463	TC MGUARD RS4000 4G ATT VPN	< 8.8.2	download
2702528	TC ROUTER 3002T-4G	< 2.05.5	download
2702530	TC ROUTER 3002T-4G	< 2.05.5	download
2702529	TC ROUTER 2002T-3G	< 2.05.5	download
2702531	TC ROUTER 2002T-3G	< 2.05.5	download
2702532	TC ROUTER 3002T-4G VZW	< 2.05.5	download
2702533	TC ROUTER 3002T-4G ATT	< 2.05.5	download
2702886	TC CLOUD CLIENT 1002-4G	< 2.03.19	download
2702887	TC CLOUD CLIENT 1002-4G VZW	< 2.03.19	download
2702888	TC CLOUD CLIENT 1002-4G ATT	< 2.03.19	download

And all Innominate derivates of FL MGUARD products.

Reported by

PHOENIX CONTACT reported this vulnerability to CERT@VDE

PHOENIX CONTACT: FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT: PPPD vulnerable to CVE-2020-8597

ID

Published

Last update

Vendor(s)

Product(s)

Summary

CVE ID

Last Update:

Severity

Weakness

Summary

Details

Impact

Solution

Article no

Article

Affected versions

Current version

Reported by