Phoenix Contact patches dangerous vulnerabilities in industrial switches

Attackers could disrupt operations by remotely disconnecting critical equipment from industrial networks

Phoenix Contact, a German electrical engineering and automation company, has disclosed four vulnerabilities in FL SWITCH industrial switches. These devices are used for automation at digital substations and in oil and gas, maritime, and other industries.

The vulnerabilities were discovered by Positive Technologies experts Vyacheslav Moskvin, Semyon Sokolov, Evgeny Druzhinin, Ilya Karpov, and Georgy Zaytsev.

The most hazardous of the vulnerabilities is CVE-2018-10730 (CVSS base score 9.1), which enables an attacker to run arbitrary commands on a switch. For example, these commands could include disconnecting all devices from the industrial network, which would compromise site operations.

Also dangerous is CVE-2018-10731 (score 9.0). A buffer overflow could be used to obtain unauthorized access to OS files on the switch and run arbitrary code. Buffer overflows are also involved in vulnerability CVE-2018-10728 (score 8.1), which an attacker could exploit to perform denial of service, run arbitrary code, or disable Web and Telnet services.

In the fourth vulnerability, CVE-2018-10729 (score 5.3), an unauthenticated attacker could read the contents of the switch configuration file.

The vulnerabilities affect FL SWITCH models 3xxx, 4xxx, and 48xxx running firmware versions 1.0–1.33. To stay safe, the vendor strongly recommends updating to firmware version 1.34.

Leigh Anne Galloway Cyber Security Resilience Lead at Positive Technologies commented: “Last year's trend is still going strong: we're seeing more and more advisories regarding new vulnerabilities in industrial network equipment. By informing the public of vulnerabilities and providing patches, vendors of network equipment—such as switches and interface converters—are stepping up to the plate and setting a great example.”

She continued: "However, these patches don't always make it out to installed equipment already in the field. Clients often rely on airgapping even though 82 percent of tested industrial network segments are insufficiently segmented off from corporate IT systems. In these cases, attackers can use ordinary hacking methods, including phishing, to attack the corporate network and then sidestep their way onto mission-critical industrial segments. At that point, they can exploit vulnerabilities in all sorts of industrial equipment, such as unpatched Phoenix Contact switches.”

This is not the first time that the two companies have collaborated to improve the security of industrial switches. In one prior case, Positive Technologies researchers discovered, and Phoenix Contact subsequently fixed, vulnerabilities that could have been used to obtain full control of FL SWITCH devices.

For detecting ICS/SCADA cyberincidents and vulnerabilities, Positive Technologies offers PT ISIM and MaxPatrol 8 to address the unique needs of industrial protocols and networks.