VDE-2022-013 | CERT@VDE

2022-04-12 08:00 (CEST) VDE-2022-013

PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library UPDATE A

Share: Email | Twitter

ID

VDE-2022-013

Published

2022-04-12 08:00 (CEST)

Last update

2022-06-14 08:09 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
1153079	FL MGUARD 1102	<= 1.5.2
1153078	FL MGUARD 1105	<= 1.5.2
2702547	FL MGUARD CENTERPORT	<= 8.8.5
2702820	FL MGUARD CENTERPORT VPN-1000	<= 8.8.5
2702884	FL MGUARD CORE TX	<= 8.8.5
2702831	FL MGUARD CORE TX VPN	<= 8.8.5
2700967	FL MGUARD DELTA TX/TX	<= 8.8.5
2700968	FL MGUARD DELTA TX/TX VPN	<= 8.8.5
2981974	FL MGUARD DM UNLIMITED	<= 1.13.0.1
2700197	FL MGUARD GT/GT	<= 8.8.5
2700198	FL MGUARD GT/GT VPN	<= 8.8.5
2701274	FL MGUARD PCI4000	<= 8.8.5
2701275	FL MGUARD PCI4000 VPN	<= 8.8.5
1073944	FL MGUARD PCI4000 VPN/K2	<= 8.8.5
2701277	FL MGUARD PCIE4000	<= 8.8.5
2701278	FL MGUARD PCIE4000 VPN	<= 8.8.5
1073940	FL MGUARD PCIE4000 VPN/K2	<= 8.8.5
2702139	FL MGUARD RS2000 TX/TX-B	<= 8.8.5
2700642	FL MGUARD RS2000 TX/TX VPN	<= 8.8.5
2701875	FL MGUARD RS2005 TX VPN	<= 8.8.5
2700634	FL MGUARD RS4000 TX/TX	<= 8.8.5
2702470	FL MGUARD RS4000 TX/TX-M	<= 8.8.5
2702259	FL MGUARD RS4000 TX/TX-P	<= 8.8.5
2200515	FL MGUARD RS4000 TX/TX VPN	<= 8.8.5
1053403	FL MGUARD RS4000 TX/TX VPN/K1	<= 8.8.5
1073943	FL MGUARD RS4000 VPN/K2	<= 8.8.5
2701876	FL MGUARD RS4004 TX/DTX	<= 8.8.5
2701877	FL MGUARD RS4004 TX/DTX VPN	<= 8.8.5
2700640	FL MGUARD SMART2	<= 8.8.5
2700639	FL MGUARD SMART2 VPN	<= 8.8.5
1053405	FL MGUARD SMART2 VPN/K1	<= 8.8.5
2702899	FL WLAN 1010	<= 2.70
2702900	FL WLAN 1011	<= 2.70
2702534	FL WLAN 1100	<= 2.70
2702538	FL WLAN 1101	<= 2.70
1119246	FL WLAN 2010	<= 2.70
1119248	FL WLAN 2011	<= 2.70
2702535	FL WLAN 2100	<= 2.70
2702540	FL WLAN 2101	<= 2.70
2700718	FL WLAN 5100	<= 3.21
2701093	FL WLAN 5101	<= 3.21
2701850	FL WLAN 5102	<= 3.21
1043193	FL WLAN 5110	<= 3.21
1043201	FL WLAN 5111	<= 3.21
2903441	TC MGUARD RS2000 3G VPN	<= 8.8.5
1010464	TC MGUARD RS2000 4G ATT VPN	<= 8.8.5
2903588	TC MGUARD RS2000 4G VPN	<= 8.8.5
1010462	TC MGUARD RS2000 4G VZW VPN	<= 8.8.5
2903440	TC MGUARD RS4000 3G VPN	<= 8.8.5
1010463	TC MGUARD RS4000 4G ATT VPN	<= 8.8.5
2903586	TC MGUARD RS4000 4G VPN	<= 8.8.5
1010461	TC MGUARD RS4000 4G VZW VPN	<= 8.8.5

Summary

FL MGUARD and TC MGUARD devices are affected by a possible infinite loop within a OpenSSL library method for parsing elliptic curve parameters. This method is used on parsing cryptographic certificates that contain elliptic curve public keys in compressed form, which may occur on:

Parsing client certificates for HTTPS administrative login
Parsing client certificates for SSH administrative login
Parsing peer certificates for IPsec VPN connections
Parsing certificates of external servers, including:
- OpenVPN server
- Configuration pull server
- Update server

Attackers could try to exploit the vulnerability from remote.
For the mGuard Device Manager only the mdm Installer for Windows is affected.

UPDATE A: Added FL MGUARD 1102 and FL MGUARD 1105:

On FL MGUARD 1102 and FL MGUARD 1105 with mGuardNT 1.5.2 and older, the device can
be affected through an adapted certificate. This can occur on connection with a remote logging
server, configured for certificate authentication, or an remote authentication server at certificate
based authentication.

CVE ID

CVE-2022-0778

Last Update:

11. April 2022 09:50

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)

Summary

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Details

nvd.nist.gov

Impact

By sending a crafted certificate, attackers may trigger an infinite loop in the receiving service. This may cause the service to become unavailable. Additionally, the availability of other services may be reduced due to high CPU load.

FL MGUARD and TC MGUARD may be vulnerable in the following setups:

Activated HTTPS administrative access with certificate-based authentication
Activated SSH administrative access with certificate-based authentication
Use of IPsec VPN connections with certificate-based authentication
Use of connections to external servers with certificate-based authentication, including:
- OpenVPN server
- Configuration pull server
- Update server

FL WLAN may be vulnerable in the following setup:

WLAN Client modes with activated certificate-based RADIUS server authentication

The services can be vulnerable, even when they are not configured to use elliptic curve cryptography explicitly.

Solution

Mitigation

To reduce the possibility of an attack, affected functionality could be deactivated or used only in a way that it is not exposed on untrusted interfaces.

Remediation

This vulnerability is fixed in firmware version 8.8.6. We strongly recommend all affected FL MGUARD and TC MGUARD users to upgrade to this or a later version.

PHOENIX CONTACT strongly recommends upgrading FL MGUARD DM UNLIMITED to version 1.13.0.2 or higher, which fixes this vulnerability.

For FL WLAN devices the vulnerability will be fixed in the next regular release. A release date is not yet defined.

Reported by

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.