Phoenix Contact FL Switch Industrial switches

Industrial commutatoryfl Switch of production Phoenix Contact are used for creation of networks in oil and gas, sea, power spheres and in other infrastructure and manufacturing industries.

2019: Vulnerabilities in the industrial FL SWITCH 3xxx, 4xxx and 48xx switches with versions of a firmware below 1:35 a.m.

On February 12, 2019 the Positive Technologies company reported that her experts Evgeny Druzhinin, Ilya Karpov and Georgy Zaytsev revealed vulnerabilities of the high level of risk in industrial commutatorakhphoenix Contact.

"Successful use of these shortcomings can lead to violation of technology process, up to its complete stop. The malefactor can intercept credentials of the user, and then, having recustomized the switch, to disconnect on it ports therefore network interaction between the APCS components can be broken. Several series of switches — FL SWITCH 3xxx, 4xxx and 48xx with versions of a firmware below 1:35 a.m. are vulnerable at once". Vladimir Nazarov, head of the safety department of industrial management systems of Positive Technologies

As reported in Positive Technologies, the most dangerous problem (CVE-2018-13993, assessment 8.8 on CVSS 3) allows attacking to perform cross-site substitution of a request for accomplishment of any commands in the web interface of the switch on behalf of the legitimate user.

Other serious vulnerability (CVE-2018-13990, assessment 8.6) is connected with absence at switches of function of a timeout of login which is necessary for prevention of automatic selection of a user name and the password. The malefactor can get access to the device by search of passwords according to dictionaries. Attacking also can intercept credentials of the user which are transferred the web interface, in open form at factory defaults (CVE-2018-13992, assessment 8.2).

Besides, the malefactor can carry out the attack like "failure in service", having created the excessive number of connections to the web interface (CVE-2018-13994, assessment 7.5) or having used buffer errors in the existing library of security of the switch (CVE-2017-3735, assessment 5.3) and also to take private keys by default from an image of its firmware that in case of carrying out the attack like "person in the middle" is able to afford to get access to the transmitted data (CVE-2018-13991, assessment 5.3).

Positive Technologies emphasized that users of vulnerable versions of FL SWITCH devices need to update a firmware to version 1.35 or above. The updated firmware can be loaded on the website Phoenix Contact.

2018

Four vulnerabilities in industrial switches of the FL SWITCH series

On June 19, 2018 the German electrotechnical concern Phoenix Contact published information on existence of four vulnerabilities in industrial switches of the FL SWITCH series. Devices are used for accomplishment of problems of automation on digital substations, in oil and gas, sea and other industries.

FL SWITCH 3006T-2FX SM

Vulnerabilities were detected by experts of Positive Technologies Vyacheslav Moskvin, Semyon Sokolov, Evgeny Druzhinin, Ilya Karpov and Georgy Zaytsev.

The greatest danger is constituted by vulnerability of CVE-2018-10730 (assessment 9.1 on a scale of CVSS). It allows the malefactor to execute any commands on the device and, for example, to disconnect all devices from industrial network, having broken technology process of an industrial facility.

The second dangerous vulnerability (CVE-2018-10731) which received assessment 9.0 is connected with threat of buffer overflow and can be used for receiving unauthorized access to files of the operating system of the device and accomplishment of any code. The problem of buffer overflow belongs also to vulnerability of CVE-2018-10728 (assessment 8.1). The violator can use it for attacks on failure in service, accomplishment of any code, shutdown of services Web and Telnet.

The fourth vulnerability of CVE-2018-10729 (assessment 5.3) allows the malefactor who was not authenticated to read contents of a configuration file of the device.

Shortcomings are revealed in the FL SWITCH 3xxx, 4xxx and 48xxx switches functioning on the software of versions 1.0-1.33. For elimination of vulnerabilities the producer recommends to set version 1.34 firmware.

"The main trend of the last year proceeds — we see more and more notifications on vulnerabilities in industrial network equipment. Informing on the found and eliminated vulnerabilities, producers of network equipment, such as switches, converters of interfaces, prove to be as responsible vendors. On the other hand, on production not always manage to update it software and often expect so-called air gap. However 82% of the studied technology networks are insufficiently protected from penetration from a corporate segment. In such cases attacking can get to corporate network, using public hacker tools or a phishing, further to get into technology network segment and to operate vulnerabilities of the different equipment, for example the Phoenix Contact switches". Vladimir Nazarov, head of the safety department of industrial management systems of Positive Technologies

For detection of cyberincidents and vulnerabilities in APCS (SCADA) the Positive Technologies company offers products PT ISIM and MaxPatrol 8, the considering features of industry protocols.

Critical vulnerabilities in FL Switch 3xxx, 4xxx and 48xxx

Experts of Positive Technologiesilya Karpov and Evgeny Druzhinin revealed critically dangerous vulnerabilities in the industrial Phoenix Contact switches. According to experts, operation of shortcomings does not require high qualification and can be executed far off.

So, vulnerability of CVE-2017-16743 with assessment of 9.8 points on a scale of CVSSv3 gives attacking the chance to bypass authentication on web service of the device by means of special HTTP requests and to get administrative access to the switch. The second vulnerability of CVE-2017-16741 (5.3 points) allows the removed not authenticated malefactor to use the monitoring mode on the device for reading of redundant and diagnostic information.

The products FL Switch 3xxx, 4xxx and 48xxx working with the software of versions 1.0-1.32 are subject to influence of these vulnerabilities. For remedial action the producer recommends to set a firmware 1.33.

If malefactors receive control over vulnerable devices, it can lead to different incidents, up to violation of stable work of production — the head of research and audit of industrial management systems of Positive Technologies Ilya Karpov explained. — For risk minimization it is necessary to set without fail updated software on switches and to follow the recommendations of ICS-CERT.