Phoenix Contact has new firmware to mitigate multiple vulnerabilities in its FL SWITCH, according to a report with NCCIC.
The vulnerabilities include a cross-site request forgery, improper restriction of excessive authentication attempts, cleartext transmission of sensitive information, resource exhaustion, incorrectly specified destination in a communication channel, insecure storage of sensitive information, and memory corruption.
Successful exploitation of these vulnerabilities, discovered by Evgeniy Druzhinin, Ilya Karpov, and Georgy Zaytsev of Positive Technologies, may allow attackers to have user privileges, gain access to the switch, read user credentials, deny access to the switch, or perform man-in-the-middle attacks.
Phoenix Contact reports the vulnerabilities affect the following products: FL SWITCH 3xxx, 4xxx and 48xx versions prior to Version 1.35.
In one issue, the vulnerability may allow an attacker to trick the web browser into transmitting unwanted commands.
CVE-2018-13993 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In addition, the switch lacks a login time-out feature to prevent high-speed automated username and password combination guessing. An attacker may gain access by brute forcing of usernames and passwords.
CVE-2018-13990 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
Also, the default setting of the Web UI (HTTP) allows user credentials to be transmitted unencrypted.
CVE-2018-13992 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
In addition, the attacker can initiate a web denial-of-service attack by producing an excessive number of Web UI connections.
CVE-2018-13994 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
Moreover, an attacker may extract the switch’s default private keys from its firmware image.
CVE-2018-13991 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Also, buffer errors in the existing switch security library may allow a denial-of-service condition.
CVE-2017-3735 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use mainly in the communications, critical manufacturing, and information technology sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Phoenix Contact recommends users of FL SWITCH devices with affected firmware versions update the firmware to Version 1.35 or higher, which fixes these vulnerabilities. The updated firmware may be downloaded from the managed switch product page on the Phoenix Contact website. Please see the CERT VDE advisory for these vulnerabilities for the location of the new firmware download for each specific product.
Phoenix Contact also recommends users using the Phoenix Contact managed FL SWITCH devices enable HTTP security.