Phoenix Contact mGuard Devices versions before 8.8.3: LAN ports get functional after reboot even if they are disabled in the device configuration
CVE-2020-12523

5.4MEDIUM

Key Information:

Vendor
Phoenix Contact
Status
Tc Mguard Rs4000 4g Vzw Vpn (1010461)
Tc Mguard Rs4000 4g Att Vpn (1010463)
Fl Mguard Rs4004 Tx/dtx (2701876)
Fl Mguard Rs4004 Tx/dtx Vpn (2701877)
Vendor
CVE Published:
17 December 2020

Summary

On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource

Affected Version(s)

FL MGUARD RS4004 TX/DTX (2701876) < 8.8.3

FL MGUARD RS4004 TX/DTX VPN (2701877) < 8.8.3

Innominate mGuard rs4000 4TX/3G/TX VPN < 8.8.3

References

https://cert.vde.com/en-us/advisories/vde-2020-046
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by SMST Designers & Constructors B.V., Phoenix Contact reported to CERT@VDE
.
CVE-2020-12523 : Phoenix Contact mGuard Devices versions before 8.8.3: LAN ports get functional after reboot even if they are disabled in the device configuration | SecurityVulnerability.io