Share: Email | Twitter

ID

VDE-2022-014

Published

2022-04-12 08:00 (CEST)

Last update

2022-04-12 08:57 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
2981974 FL MGUARD DM UNLIMITED <= 1.13.0.1

Summary

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.
For the mGuard Device Manager only the mdm Installer for Windows is affected.


Weakness

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')  (CWE-444) 

Summary

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling


Impact

Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g., private keys associated with IPsec VPN connections.

Solution

Mitigation

This vulnerability is exploitable only if the ConfigPull functionality is used and config files are stored unencrypted. As a best practice and mitigation measure, we recommend storing configuration files encrypted with the device specific public key of the mGuard appliances.

Remediation

PHOENIX CONTACT strongly recommends upgrading FL MGUARD DM UNLIMITED to version 1.13.0.2 or higher, which fixes this vulnerability.

Reported by

This vulnerability was discovered by James Kettle.

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.