Summary
For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).
Impact
After a reboot, affected mGuard devices may unexpectedly receive or send data on disabled switch ports. This includes the unexpected provision of administrative interfaces. Attackers may try to access confidential data or compromise the availability of mGuard services by flooding or resource exhaustion.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2701876 | FL MGUARD RS4004 TX/DTX | <8.8.3 |
| 2701877 | FL MGUARD RS4004 TX/DTX VPN | <8.8.3 |
| 2903440 | TC MGUARD RS4000 3G VPN | <8.8.3 |
| 1010463 | TC MGUARD RS4000 4G ATT VPN | <8.8.3 |
| 2903586 | TC MGUARD RS4000 4G VPN | <8.8.3 |
| 1010461 | TC MGUARD RS4000 4G VZW VPN | <8.8.3 |
| mGuard rs4000 4TX/3G/TX VPN | <8.8.3 | |
| mGuard rs4000 4TX/TX | <8.8.3 | |
| mGuard rs4000 4TX/TX VPN | <8.8.3 |
Vulnerabilities
Expand / Collapse allOn Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource
Mitigation
Instead of deactivating by configuration, network cables should be detached from affected switch
ports.
Remediation
Mitigation Instead of deactivating by configuration, network cables should be detached from affected switchports. Solution PHOENIX CONTACT recommends all mGuard users to upgrade to the firmware version 8.8.3.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 12/17/2020 10:01 | Initial revision. |
| 2 | 05/14/2025 14:28 | Fix: removed ia, added distribution |