Phoenix Contact mitigated a vulnerability where when there is a software update in its mGuard product it could change the password to the default, according to a report with ICS-CERT.
Phoenix Contact, which discovered its own remotely exploitable vulnerability, said the issue affects only devices that have been updated to Version 8.4.0. This vulnerability could allow an attacker to log into the system with administrative privileges.
An attacker with low skill level to would be able to exploit the vulnerability.
CVE-2017-5159 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Phoenix Contact recommends users update to Version 8.4.1 (or higher, if applicable). If an update to Version 8.4.0 already has been performed, a user can change the “admin” password via WebUI or command line.
If SSH or HTTPS access was possible from untrusted sources after an update to Version 8.4.0, please flash the device and exchange all private keys and passphrases in the configuration.
To view the advisory published by Phoenix Contact, navigate to the company’s product page and then find the document in the “various” section of the product download page.When updating an mGuard device to Version 8.4.0 via the update-upload facility, the update will succeed, but it will reset the password of the admin user to its default value.