Critical Vulnerability Information Title: PHOENIX CONTACT mGuard Last Revised Date: September 19, 2017 Alert Code: ICSA-17-017-01 CVSS V3 Score: 9.8 Note: Remotely Exploitable / Low Skill Level Exploitable Vendor: PHOENIX CONTACT Device: mGuard Vulnerability: Software update resets password to default value Affected Products The vulnerability affects the following mGuard products: - Only devices updated to version 8.4.0 are affected. Impact This vulnerability may allow an attacker to log in to the system with administrator privileges. Mitigation PHOENIX CONTACT recommends users update to version 8.4.1 (or higher, if available). If already updated to 8.4.0, change the "admin" password via WebUI or command line. If the device is still accessible via SSH or HTTPS from untrusted sources after updating to 8.4.0, reset the device and replace all private keys and passwords. Implement protective measures to minimize the risk of exploitation: - Minimize network exposure of all control systems and ensure they are not accessible from the internet. - Isolate control system networks and remote devices behind firewalls and separate them from business networks. - When remote access is required, use secure methods such as VPN, and regularly update to the latest version. - Perform appropriate impact analysis and risk assessment before deploying protective measures. Vulnerability Overview Resource Injection CWE-99 When updating the mGuard device to version 8.4.0, although the update succeeds, the password for the "admin" user is reset to its default value. CVE ID: CVE-2017-5159 CVSS V3 Base Score: 9.8 Researchers The vulnerability was discovered by PHOENIX CONTACT. Background Critical Infrastructure Sector: Critical Manufacturing Deployment Countries/Regions: Global Company Headquarters Location: Germany