Innominate created a firmware patch that mitigates the unauthorized download of system information vulnerability from its mGuard devices, according to a report on ICS-CERT.
Applied Risk Research team, which discovered the remotely exploitable vulnerability, validated the firmware patch.
Innominate mGuard firmware Versions 4.0.0 up to Version 8.0.2 suffer from the issue.
Innominate mGuard firmware Versions 7.6.4 patch release, and firmware Versions 8.0.3, 8.1.0, 8.1.1, and higher do not have the vulnerability.
Exploitation of this vulnerability could allow a remote unauthenticated user access to release configuration information. While this is a minor vulnerability, it represents a method for further network reconnaissance.
Innominate is a German-based company that sells products worldwide through its international partners. Phoenix Contact acquired Innominate in 2008.
The vulnerability affects only the mGuard products, which are industrial security routers. They see action in critical infrastructure sectors, including communications, critical manufacturing, and healthcare and public health.
An attacker using a carefully crafted URL may download a configuration snapshot without prior authorization using the HTTPS CGI interface. The configuration snapshot contains configuration data, current system information and log files, but no confidential data such as RSA private keys, Pre-Shared keys or passwords. An attacker might gather information about network topology, traffic flows, and other connected systems from this data.
CVE-2014-2356 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
All users of affected Innominate mGuard devices may either update to one of the following firmware versions: 7.6.4, 8.0.3, 8.1.0, 8.1.1, or higher, or use the hotfix-CVE-2014-2356.tar.gz patch-update to fix their systems without updating any other component.
The patch can end up applied by either uploading the patch-update as “Local Update” or by the “Online Update” functionality and using hotfix-CVE-2014-2356 as “Package set name.” In addition, Innominate recommends limiting access to the administrative interfaces via firewall rules to the minimum necessary.