Share: Email | Twitter

ID

VDE-2022-013

Published

2022-04-12 08:00 (CEST)

Last update

2022-06-14 08:09 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1153079 FL MGUARD 1102 <= 1.5.2
1153078 FL MGUARD 1105 <= 1.5.2
2702547 FL MGUARD CENTERPORT <= 8.8.5
2702820 FL MGUARD CENTERPORT VPN-1000 <= 8.8.5
2702884 FL MGUARD CORE TX <= 8.8.5
2702831 FL MGUARD CORE TX VPN <= 8.8.5
2700967 FL MGUARD DELTA TX/TX <= 8.8.5
2700968 FL MGUARD DELTA TX/TX VPN <= 8.8.5
2981974 FL MGUARD DM UNLIMITED <= 1.13.0.1
2700197 FL MGUARD GT/GT <= 8.8.5
2700198 FL MGUARD GT/GT VPN <= 8.8.5
2701274 FL MGUARD PCI4000 <= 8.8.5
2701275 FL MGUARD PCI4000 VPN <= 8.8.5
1073944 FL MGUARD PCI4000 VPN/K2 <= 8.8.5
2701277 FL MGUARD PCIE4000 <= 8.8.5
2701278 FL MGUARD PCIE4000 VPN <= 8.8.5
1073940 FL MGUARD PCIE4000 VPN/K2 <= 8.8.5
2702139 FL MGUARD RS2000 TX/TX-B <= 8.8.5
2700642 FL MGUARD RS2000 TX/TX VPN <= 8.8.5
2701875 FL MGUARD RS2005 TX VPN <= 8.8.5
2700634 FL MGUARD RS4000 TX/TX <= 8.8.5
2702470 FL MGUARD RS4000 TX/TX-M <= 8.8.5
2702259 FL MGUARD RS4000 TX/TX-P <= 8.8.5
2200515 FL MGUARD RS4000 TX/TX VPN <= 8.8.5
1053403 FL MGUARD RS4000 TX/TX VPN/K1 <= 8.8.5
1073943 FL MGUARD RS4000 VPN/K2 <= 8.8.5
2701876 FL MGUARD RS4004 TX/DTX <= 8.8.5
2701877 FL MGUARD RS4004 TX/DTX VPN <= 8.8.5
2700640 FL MGUARD SMART2 <= 8.8.5
2700639 FL MGUARD SMART2 VPN <= 8.8.5
1053405 FL MGUARD SMART2 VPN/K1 <= 8.8.5
2702899 FL WLAN 1010 <= 2.70
2702900 FL WLAN 1011 <= 2.70
2702534 FL WLAN 1100 <= 2.70
2702538 FL WLAN 1101 <= 2.70
1119246 FL WLAN 2010 <= 2.70
1119248 FL WLAN 2011 <= 2.70
2702535 FL WLAN 2100 <= 2.70
2702540 FL WLAN 2101 <= 2.70
2700718 FL WLAN 5100 <= 3.21
2701093 FL WLAN 5101 <= 3.21
2701850 FL WLAN 5102 <= 3.21
1043193 FL WLAN 5110 <= 3.21
1043201 FL WLAN 5111 <= 3.21
2903441 TC MGUARD RS2000 3G VPN <= 8.8.5
1010464 TC MGUARD RS2000 4G ATT VPN <= 8.8.5
2903588 TC MGUARD RS2000 4G VPN <= 8.8.5
1010462 TC MGUARD RS2000 4G VZW VPN <= 8.8.5
2903440 TC MGUARD RS4000 3G VPN <= 8.8.5
1010463 TC MGUARD RS4000 4G ATT VPN <= 8.8.5
2903586 TC MGUARD RS4000 4G VPN <= 8.8.5
1010461 TC MGUARD RS4000 4G VZW VPN <= 8.8.5

Summary

FL MGUARD and TC MGUARD devices are affected by a possible infinite loop within a OpenSSL library method for parsing elliptic curve parameters. This method is used on parsing cryptographic certificates that contain elliptic curve public keys in compressed form, which may occur on:

  • Parsing client certificates for HTTPS administrative login
  • Parsing client certificates for SSH administrative login
  • Parsing peer certificates for IPsec VPN connections
  • Parsing certificates of external servers, including:
    • OpenVPN server
    • Configuration pull server
    • Update server

Attackers could try to exploit the vulnerability from remote.
For the mGuard Device Manager only the mdm Installer for Windows is affected.

UPDATE A: Added FL MGUARD 1102 and FL MGUARD 1105:

On FL MGUARD 1102 and FL MGUARD 1105 with mGuardNT 1.5.2 and older, the device can
be affected through an adapted certificate. This can occur on connection with a remote logging
server, configured for certificate authentication, or an remote authentication server at certificate
based authentication.


Last Update:

April 11, 2022, 9:50 a.m.

Weakness

Loop with Unreachable Exit Condition ('Infinite Loop')  (CWE-835) 

Summary

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).


Impact

By sending a crafted certificate, attackers may trigger an infinite loop in the receiving service. This may cause the service to become unavailable. Additionally, the availability of other services may be reduced due to high CPU load.

FL MGUARD and TC MGUARD may be vulnerable in the following setups:

  • Activated HTTPS administrative access with certificate-based authentication
  • Activated SSH administrative access with certificate-based authentication
  • Use of IPsec VPN connections with certificate-based authentication
  • Use of connections to external servers with certificate-based authentication, including:
    • OpenVPN server
    • Configuration pull server
    • Update server

FL WLAN may be vulnerable in the following setup:

  • WLAN Client modes with activated certificate-based RADIUS server authentication

The services can be vulnerable, even when they are not configured to use elliptic curve cryptography explicitly.

Solution

Mitigation

To reduce the possibility of an attack, affected functionality could be deactivated or used only in a way that it is not exposed on untrusted interfaces.

Remediation

This vulnerability is fixed in firmware version 8.8.6. We strongly recommend all affected FL MGUARD and TC MGUARD users to upgrade to this or a later version.

PHOENIX CONTACT strongly recommends upgrading FL MGUARD DM UNLIMITED to version 1.13.0.2 or higher, which fixes this vulnerability.

For FL WLAN devices the vulnerability will be fixed in the next regular release. A release date is not yet defined.

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.