Share: Email | Twitter

ID

VDE-2018-006

Published

2018-05-16 07:40 (CEST)

Last update

2021-11-04 10:06 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2891033 FL SWITCH 3004T-FX 1.0 <= 1.33
2891034 FL SWITCH 3004T-FX ST 1.0 <= 1.33
2891030 FL SWITCH 3005 1.0 <= 1.33
2891032 FL SWITCH 3005T 1.0 <= 1.33
2891036 FL SWITCH 3006T-2FX 1.0 <= 1.33
2891060 FL SWITCH 3006T-2FX SM 1.0 <= 1.33
2891037 FL SWITCH 3006T-2FX ST 1.0 <= 1.33
2891031 FL SWITCH 3008 1.0 <= 1.33
2891035 FL SWITCH 3008T 1.0 <= 1.33
2891120 FL SWITCH 3012E-2FX 1.0 <= 1.33
2891119 FL SWITCH 3012E-2FX SM 1.0 <= 1.33
2891067 FL SWITCH 3012E-2SFX 1.0 <= 1.33
2891058 FL SWITCH 3016 1.0 <= 1.33
2891066 FL SWITCH 3016E 1.0 <= 1.33
2891059 FL SWITCH 3016T 1.0 <= 1.33
2891162 FL SWITCH 4000T-8POE-2SFP-R 1.0 <= 1.33
2891160 FL SWITCH 4008T-2GT-3FX SM 1.0 <= 1.33
2891061 FL SWITCH 4008T-2GT-4FX SM 1.0 <= 1.33
2891062 FL SWITCH 4008T-2SFP 1.0 <= 1.33
2891063 FL SWITCH 4012T 2GT 2FX 1.0 <= 1.33
2891161 FL SWITCH 4012T-2GT-2FX ST 1.0 <= 1.33
2891102 FL SWITCH 4800E-24FX-4GC 1.0 <= 1.33
2891104 FL SWITCH 4800E-24FX SM-4GC 1.0 <= 1.33
2891079 FL SWITCH 4808E-16FX-4GC 1.0 <= 1.33
2891073 FL SWITCH 4808E-16FX LC-4GC 1.0 <= 1.33
2891080 FL SWITCH 4808E-16FX SM-4GC 1.0 <= 1.33
2891074 FL SWITCH 4808E-16FX SM LC-4GC 1.0 <= 1.33
2891086 FL SWITCH 4808E-16FX SM ST-4GC 1.0 <= 1.33
2891085 FL SWITCH 4808E-16FX ST-4GC 1.0 <= 1.33
2891072 FL SWITCH 4824E-4GC 1.0 <= 1.33

Summary

An attacker may insert a carefully crafted cookie into a GET menu_pxc.cgi or GET index.cgi request to cause a buffer overflow that can initiate a Denial of Service attack and execute arbitrary code.


Last Update:

Jan. 31, 2020, 2:51 p.m.

Weakness

Stack-based Buffer Overflow  (CWE-119) 

Summary

All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 are prone to buffer overflows (a different vulnerability than CVE-2018-10731).

Impact

If vulnerability is exploited, the attacker may disable Web and Telnet services and execute arbitrary code.

Update 2018-05-28

Due to the way this vulnerability was discovered, the Attack Complexity has been changed from HIGH to LOW. This results in a new CVSS Vector with a severity of 9.8.

Solution

Temporary Fix / Mitigation

Customers using Phoenix Contact managed FL SWITCH devices with affected firmware versions are recommended to disable the switch Web Agent.

Remediation

Customers using Phoenix Contact managed FL SWITCH devices with affected firmware versions are recommended to update the firmware to version 1.34 or higher which fixes this vulnerability. The updated firmware may be downloaded from the managed switch product page on the Phoenix Contact website:

Article No. Model Updated Firmware
2891030 FL SWITCH 3005 download
2891032 FL SWITCH 3005T download
2891033 FL SWITCH 3004T-FX download
2891034 FL SWITCH 3004T-FX ST download
2891031 FL SWITCH 3008 download
2891035 FL SWITCH 3008T download
2891036 FL SWITCH 3006T-2FX download
2891037 FL SWITCH 3006T-2FX ST download
2891067 FL SWITCH 3012E-2SFX download
2891066 FL SWITCH 3016E download
2891058 FL SWITCH 3016 download
2891059 FL SWITCH 3016T download
2891060 FL SWITCH 3006T-2FX SM download
2891062 FL SWITCH 4008T-2SFP download
2891061 FL SWITCH 4008T-2GT-4FX SM download
2891160 FL SWITCH 4008T-2GT-3FX SM download
2891073 FL SWITCH 4808E-16FX LC-4GC download
2891080 FL SWITCH 4808E-16FX SM-4GC download
2891086 FL SWITCH 4808E-16FX SM ST-4GC download
2891085 FL SWITCH 4808E-16FX ST-4GC download
2891079 FL SWITCH 4808E-16FX-4GC download
2891074 FL SWITCH 4808E-16FX SM LC-4GC download
2891063 FL SWITCH 4012T 2GT 2FX download
2891161 FL SWITCH 4012T-2GT-2FX ST download
2891072 FL SWITCH 4824E-4GC download
2891102 FL SWITCH 4800E-24FX-4GC download
2891104 FL SWITCH 4800E-24FX SM-4GC download
2891120 FL SWITCH 3012E-2FX download
2891119 FL SWITCH 3012E-2FX SM download
2891162 FL SWITCH 4000T-8POE-2SFP-R please contact your local customer service

Reported by

Evgeniy Druzhinin, Georgy Zaytsev and Ilya Karpov (Positive Technologies) reported these vulnerabilities to PHOENIX CONTACT