Share: Email | Twitter

ID

VDE-2021-035

Published

2021-08-11 09:59 (CEST)

Last update

2021-08-11 09:59 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2981974 FL MGUARD DM = 1.12.0
2981974 FL MGUARD DM = 1.13.0

Summary

Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.


Last Update:

Sept. 8, 2021, 8:38 a.m.

Weakness

Improper Privilege Management  (CWE-269) 

Summary

In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

Impact

Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

Solution

  • Stop the ApacheMDM Windows service.
  • Edit file <mdm>/apache/conf/extra/httpd-mdm.conf and remove the instances of these lines for “DocumentRoot” and alias “/atv”:
# Controls who can get stuff from this server.
Require all granted

<mdm> refers to the directory in which FL MGUARD DM is installed.

  • Start the ApacheMDM Windows service.

Remediation
This vulnerability is fixed in FL MGUARD DM 1.13.0.1. We advise all affected FL MGUARD DM 1.12.0 and 1.13.0 users to upgrade to FL MGUARD DM 1.13.0.1 or a later version.
Additional recommendations:

  • Limit network access to the Apache web server to as few network addresses as possible.
  • If possible, make use of encrypted mGuard configuration profiles.

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.