| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 2981974 | FL MGUARD DM UNLIMITED | <= 1.13.0.1 |
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.
For the mGuard Device Manager only the mdm Installer for Windows is affected.
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g., private keys associated with IPsec VPN connections.
Mitigation
This vulnerability is exploitable only if the ConfigPull functionality is used and config files are stored unencrypted. As a best practice and mitigation measure, we recommend storing configuration files encrypted with the device specific public key of the mGuard appliances.
Remediation
PHOENIX CONTACT strongly recommends upgrading FL MGUARD DM UNLIMITED to version 1.13.0.2 or higher, which fixes this vulnerability.
This vulnerability was discovered by James Kettle.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.