Phoenix Contact has firmware upgrades to mitigate command injection, information exposure and stack-based buffer overflow vulnerabilities in its FL SWITCH 3xxx/4xxx/48xx Series, according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities could allow for remote code execution and information disclosure.
CERT@VDE working with Vyacheslav Moskvin, Semen Sokolov, Evgeniy Druzhinin, Georgy Zaytsev and Ilya Karpov of Positive Technologies and Phoenix Contact reported the vulnerabilities.
All FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32 are affected.
In one vulnerability, an attacker with permission to transfer configuration files to or from the switch or permission to upgrade firmware is able to execute arbitrary OS shell commands.
CVE-2018-10730 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
In addition, web interface CGI applications may copy the contents of the running configuration file to a commonly accessed file. Manipulation of a web login request can expose the contents of this file through to the web browser. A successful web interface login attempt is not required to read the configuration file contents.
CVE-2018-10729 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Also, an attacker may insert a carefully crafted cookie into a GET request to cause a buffer overflow that can initiate a denial of service attack and execute arbitrary code.
CVE-2018-10728 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.
In addition, a remote attacker may exploit a “long cookie” related vulnerability to cause a buffer overflow that allows unauthorized access to the switches operating system files and the insertion of executable code into the OS.
CVE-2018-10731 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.0.
The product sees use in the communications, critical manufacturing and information technology sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Phoenix Contact recommends affected users upgrade to firmware Version 1.34 or Phoenix Contact website:
FL SWITCH 3005
FL SWITCH 3005T
FL SWITCH 3004T-FX
FL SWITCH 3004T-FX ST
FL SWITCH 3008
FL SWITCH 3008T
FL SWITCH 3006T-2FX
FL SWITCH 3006T-2FX ST
FL SWITCH 3012E-2SFX
FL SWITCH 3016E
FL SWITCH 3016
FL SWITCH 3016T
FL SWITCH 3006T-2FX SM
FL SWITCH 4008T-2SFP
FL SWITCH 4008T-2GT-4FX SM
FL SWITCH 4008T-2GT-3FX SM
FL SWITCH 4808E-16FX LC-4GC
FL SWITCH 4808E-16FX SM-4GC
FL SWITCH 4808E-16FX SM ST-4GC
FL SWITCH 4808E-16FX ST-4GC
FL SWITCH 4808E-16FX-4GC
FL SWITCH 4808E-16FX SM LC-4GC
FL SWITCH 4012T 2GT 2FX
FL SWITCH 4012T-2GT-2FX ST
FL SWITCH 4824E-4GC
FL SWITCH 4800E-24FX-4GC
FL SWITCH 4800E-24FX SM-4GC
FL SWITCH 4800E-24FX SM-4GC
FL SWITCH 3012E-2FX SM
FL SWITCH 4000T-8POE-2SFP-R