23 May 2018

Dangerous vulnerabilities identified in FL SWITCH industrial Ethernet switches

Dangerous vulnerabilities that could lead to remote execution of arbitrary code in the system and information disclosure have been identified in PHOENIX CONTACT FL SWITCH industrial Ethernet switches.

The vulnerabilities affect all FL SWITCH series 3xxx, 4xxx and 48xxx switches with firmware versions 1.0 to 1.32.

Four vulnerabilities have been identified, three of them critical (CVSS v.3 base score 8.1 to 9.1).

One vulnerability is Improper Neutralization of Special Elements used in a Command (CVE-2018-10730). It can be exploited to execute arbitrary shell commands in the switch’s operating system, provided that the attackers have privileges enabling them to upgrade firmware on the switch or transfer configuration files to or from the device.

Another vulnerability (CVE-2018-10728) enables attackers to insert a specially crafted cookie file into a GET request to cause buffer overflow, allowing them to initiate a denial-of-service attack or execute arbitrary code.

One more buffer overflow vulnerability (CVE-2018-10731) can be exploited by remote attackers to gain unauthorized access to files in the switch’s operating system. It also enables attackers to execute arbitrary code in the target system.

The last vulnerability (CVE-2018-10729), which is also the least dangerous, has to do with CGI applications being able to copy the contents of the running configuration file to a commonly accessed file. By manipulating a web login request, attackers can view the contents of the file in the browser. It should be noted that a successful web interface login attempt is not required to read the configuration file contents.

To eliminate these vulnerabilities, PHOENIX CONTACT recommends upgrading device firmware to version 1.34 or higher. The relevant links are provided on the vendor’s website.

Source: ICS-CERT