Zurück zur Übersicht

PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver

VDE-2022-014
Last update
22.05.2025 15:03
Published at
12.04.2022 08:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2022-014
CSAF Document
Download

Summary

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling.
For the mGuard Device Manager only the mdm Installer for Windows is affected.

Impact

Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles ('ATV profiles'). Such configuration profiles may contain sensitive information, e.g., private keys associated with IPsec VPN connections.

Affected Product(s)

Model no. Product name Affected versions
2981974 FL MGUARD DM UNLIMITED Firmware <=1.13.0.1

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (CWE-444)
Summary

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

References
cve.org | nvd.nist.gov

Mitigation

This vulnerability is exploitable only if the ConfigPull functionality is used and config files are stored unencrypted. As a best practice and mitigation measure, we recommend storing configuration files encrypted with the device specific public key of the mGuard appliances.

Remediation

PHOENIX CONTACT strongly recommends upgrading FL MGUARD DM UNLIMITED to version 1.13.0.2 or higher, which fixes this vulnerability.

Revision History

Version Date Summary
1 12.04.2022 08:00 Initial revision.
2 22.05.2025 15:03 Fix: added distribution, quotation mark