VDE-2018-001 | CERT@VDE

2018-01-30 10:00 (CET) VDE-2018-001

PHOENIX CONTACT: Advisory for mGuard products

Share: Email | Twitter

ID

VDE-2018-001

Published

2018-01-30 10:00 (CET)

Last update

2018-01-30 10:00 (CET)

Vendor(s)

Innominate Security Technologies
PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
2702547	FL MGUARD CENTERPORT	7.2 <= 8.6.0
2702831	FL MGUARD CORE TX VPN	7.2 <= 8.6.0
2700967	FL MGUARD DELTA TX/TX	7.2 <= 8.6.0
2700968	FL MGUARD DELTA TX/TX VPN	7.2 <= 8.6.0
2700197	FL MGUARD GT/GT	7.2 <= 8.6.0
2700198	FL MGUARD GT/GT VPN	7.2 <= 8.6.0
2701275	FL MGUARD PCI4000 VPN	7.2 <= 8.6.0
2701278	FL MGUARD PCIE4000 VPN	7.2 <= 8.6.0
2903441	FL MGUARD RS2000 3G VPN	7.2 <= 8.6.0
2903588	FL MGUARD RS2000 4G VPN	7.2 <= 8.6.0
2702139	FL MGUARD RS2000 TX/TX-B	7.2 <= 8.6.0
2700642	FL MGUARD RS2000 TX/TX VPN	7.2 <= 8.6.0
2701875	FL MGUARD RS2005 TX VPN	7.2 <= 8.6.0
2903440	FL MGUARD RS4000 3G VPN	7.2 <= 8.6.0
2903586	FL MGUARD RS4000 4G VPN	7.2 <= 8.6.0
2700634	FL MGUARD RS4000 TX/TX	7.2 <= 8.6.0
2702259	FL MGUARD RS4000 TX/TX-P	7.2 <= 8.6.0
2200515	FL MGUARD RS4000 TX/TX VPN	7.2 <= 8.6.0
2702465	FL MGUARD RS4000 TX/TX VPN-M	7.2 <= 8.6.0
2701876	FL MGUARD RS4004 TX/DTX	7.2 <= 8.6.0
2701877	FL MGUARD RS4004 TX/DTX VPN	7.2 <= 8.6.0
2700640	FL MGUARD SMART2	7.2 <= 8.6.0
2700639	FL MGUARD SMART2 VPN	7.2 <= 8.6.0

Summary

The integrity of the mGuard firmware atomic update process cannot be guaranteed under all circumstances.

The mGuard atomic update mechanism relies on internal checksums for the integrity verification of some portions of the update packages. The verification of these internal checksums may not always be performed correctly.

CVE ID

CVE-2018-5441

Last Update:

Sept. 22, 2019, 10:17 a.m.

Severity

7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness

Improper Input Validation (CWE-20)

Summary

An Improper Validation of Integrity Check Value issue was discovered in PHOENIX CONTACT mGuard firmware versions 7.2 to 8.6.0. mGuard devices rely on internal checksums for verification of the internal integrity of the update packages. Verification may not always be performed correctly, allowing an attacker to modify firmware update packages.

Details

nvd.nist.gov

Impact

The mGuard only allows the installation of firmware updates digitally signed by Phoenix Contact (Innominate). The atomic update mechanism that was introduced with mGuard 7.2.0 to support the current generation of devices relies on internal checksums for the verification of the internal integrity of some portions of the update packages. As the verification may not always be performed correctly, an attacker might modify firmware update packages.

This vulnerability is present in all mGuard releases since 7.2.0 on the listed devices but does not affect the current mGuard 8.6.1 release.

Firmware images used to completely flash the device are not affected by this vulnerability.

Solution

We strongly advise all mGuard users to upgrade to the firmware version 8.6.1.

Also affected are discontinued mGuard products from PHOENIX CONTACT and Innominate AG running firmware version 7.2.0 or above.

Article N°	Model	Download Link
2702547	FL MGUARD CENTERPORT	download
2700967	FL MGUARD DELTA TX/TX	download
2700968	FL MGUARD DELTA TX/TX VPN	download
2700197	FL MGUARD GT/GT	download
2700198	FL MGUARD GT/GT VPN	download
2701275	FL MGUARD PCI4000 VPN	download
2701278	FL MGUARD PCIE4000 VPN	download
2700642	FL MGUARD RS2000 TX/TX VPN	download
2702139	FL MGUARD RS2000 TX/TX-B	download
2701875	FL MGUARD RS2005 TX VPN	download
2700634	FL MGUARD RS4000 TX/TX	download
2200515	FL MGUARD RS4000 TX/TX VPN	download
2702465	FL MGUARD RS4000 TX/TX VPN-M	download
2702259	FL MGUARD RS4000 TX/TX-P	download
2701876	FL MGUARD RS4004 TX/DTX	download
2701877	FL MGUARD RS4004 TX/DTX VPN	download
2700640	FL MGUARD SMART2	download
2700639	FL MGUARD SMART2 VPN	download
2903441	TC MGUARD RS2000 3G VPN	download
2903440	TC MGUARD RS4000 3G VPN	download
2702831	FL MGUARD CORE TX VPN	download
2903588	TC MGUARD RS2000 4G VPN	download
2903586	TC MGUARD RS4000 4G VPN	download

Checksums

Update_8.6.1_MPC.zip

SHA-512

5672E68B9062EEA634AB5BC9424B40EFF587A11C132FB3018B8E0565A3A01C6F9A3DCAE13E0B47683BDC734D1B1C56AE3998C65BBC9576EEC36F6340CB1DB053

Update_8.6.1_X86.zip

SHA-512

7FED3804E8B934E83BA9B42C41EE12EA380A1B4D7734B91ECA4C957E3CFB590C9A3E764EC13F02A84938D2EB4AF5224F13E8D73DB565140AC670B79144C0AB88

Update_8.6.1_TC3G_MPC.zip

SHA-512

DB7294FE40DEE2F6C85C7DF747520F26C7FDA9FDAD52F0CEED19F8370BC48CDF428DEB8B29A9C41B741264229213D4C65E6D1481396E3F2513F72DEBF1CB2947

mguard-firmware-repositories-8.6.1_mpc.zip

SHA-512

29C9276DD44FB315F250376C4DDAF6F93B5CC4512AD3F006FC0B62CD85125D8DFFB57897BED0EB3B0C5B0CF256FF8CF3619F83E96444D88E3FF897BEF859BBF1

mguard-firmware-repositories-8.6.1_x86.zip

SHA-512

D8C73FA959849563DF56607D567F0FFD1F739F2EC3043298A90C424745BCB594165A87938A02B1129F4437E3E444E94E30F8900FB3DD98FBCDD97EA56B9CF200

Reported by

PHOENIX CONTACT reported this vulnerability to CERT@VDE.