Positive Technologies uncovers new vulnerabilities in Phoenix Contact industrial switches

Positive Technologies experts Evgeny Druzhinin, Ilya Karpov, and Georgy Zaytsev have identified multiple severe vulnerabilities in Phoenix Contact industrial switches. These devices are used for building networks used in energy, oil and gas, maritime, and other industries.

Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies, explained: "Successful exploitation of these weaknesses has the potential to cause disruption, or even total interruption, of ICS operations. An attacker can intercept user credentials and then reconfigure a switch to disable its ports, resulting in failure of network communication between ICS components. Several series of switches are vulnerable: FL SWITCH 3xxx, 4xxx, and 48xx with firmware versions older than 1.35."

The most serious vulnerability (CVE-2018-13993, CVSSv3 score 8.8) involves cross-site request forgery (CSRF), which enables an attacker to run arbitrary commands in the switch web interface as a legitimate user.

Another vulnerability (CVE-2018-13990, score 8.6) is caused by failure of the switch to enforce a timeout between login attempts. As a result, an attacker can obtain access by bruteforcing with password dictionaries. An attacker can also intercept user credentials, which are transmitted in cleartext when the factory settings of the web interface have not been changed (CVE-2018-13992, score 8.2).

In addition, an attacker can perform denial of service by creating a large number of connections to the web interface (CVE-2018-13994, score 7.5) or by taking advantage of buffer errors in the switch's existing security library (CVE-2017-3735, score 5.3). It is also possible to extract the default private keys from the firmware image, which, in the case of a man-in-the-middle attack, would allow gaining access to transmitted information (CVE-2018-13991, score 5.3).

Administrators of affected FL SWITCH devices should update firmware to version 1.35 or newer. Firmware downloads are available on the Phoenix Contact website.