Share: Email | Twitter

ID

VDE-2021-022

Published

2021-06-23 14:16 (CEST)

Last update

2021-06-23 14:16 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2313452 FL COMSERVER UNI 232/422/485 < 2.40
2904817 FL COMSERVER UNI 232/422/485-T < 2.40

Summary

When the communication partner sends an invalid Modbus exception response to the FL COMSERVER UNI as a query, the Modbus communication stops, and the device will be unresponsive for some minutes before the functionality is fully restored (CWE-772).

CVE ID

CVE-2021-21002 

Last Update:

7. Juli 2021 13:16

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

Weakness

Missing Release of Resource after Effective Lifetime  (CWE-772) 

Summary

In Phoenix Contact FL COMSERVER UNI in versions < 2.40 a invalid Modbus exception response can lead to a temporary denial of service.

Details

nvd.nist.gov 

Impact

An attacker may use this vulnerability to execute a Denial of Service (DoS) attack.

Solution

PHOENIX CONTACT recommends affected users to upgrade to the latest firmware version which is available for download.

Product number Product name Firmware version
2313452 FL COMSERVER UNI 232/422/485 2.41
2904817 FL COMSERVER UNI 232/422/485-T 2.41

Reported by

This vulnerability was found by Petri Tuomio and reported to PHOENIX CONTACT by Waertsilae PSIRT.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.