Summary
Openswan 2.6.39 and earlier, which is used in the mGuard firmware version 8.0.0 to 8.5.1, allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.
Impact
Specially crafted IKEv2 packets may force an IKE daemon restart and force a restart of all IPsec connections. There is no access to sensitive information or tunnel content possible by this attack.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2702547 | FL MGUARD CENTERPORT | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700967 | FL MGUARD DELTA TX/TX | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700968 | FL MGUARD DELTA TX/TX VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700197 | FL MGUARD GT/GT | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700198 | FL MGUARD GT/GT VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2701274 | FL MGUARD PCI4000 | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2701275 | FL MGUARD PCI4000 VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2701278 | FL MGUARD PCIE4000 VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2989310 | FL MGUARD RS | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2989718 | FL MGUARD RS VPN ANALOG | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700642 | FL MGUARD RS2000 TX/TX VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2701875 | FL MGUARD RS2005 TX VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700634 | FL MGUARD RS4000 TX/TX | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2200515 | FL MGUARD RS4000 TX/TX VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2702465 | FL MGUARD RS4000 TX/TX VPN-M | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2702259 | FL MGUARD RS4000 TX/TX-P | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2701876 | FL MGUARD RS4004 TX/DTX | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2701877 | FL MGUARD RS4004 TX/DTX VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700640 | FL MGUARD SMART2 | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2700639 | FL MGUARD SMART2 VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2903441 | TC MGUARD RS2000 3G VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2903588 | TC MGUARD RS2000 4G VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2903440 | TC MGUARD RS4000 3G VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
| 2903586 | TC MGUARD RS4000 4G VPN | Phoenix Contact Firmware mGuard 8.0.0<=8.5.1 |
Vulnerabilities
Expand / Collapse allOpenswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.
Remediation
PHOENIX CONTACT and Innominate recommend all customers running mGuard devices with affected firmware versions to update to firmware version 8.5.2 or higher, which fixes this vulnerability. Updates can be found on the vendor's 'Downloads' page for each of the affected devices.
Acknowledgments
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 07.03.2017 12:05 | Initial revision. |
| 2 | 30.10.2024 12:27 | Fix: correct certvde domain, added self-reference |
| 3 | 22.05.2025 15:03 | Fix: version space, removed ia, quotation mark |