The latest firmware updates released by Phoenix Contact for its FL SWITCH industrial ethernet switches address a total of six vulnerabilities that can be exploited to obtain credentials for the web interface, conduct unauthorized activities, cause a denial-of-service (DoS) condition, and launch man-in-the-middle (MitM) attacks.
Phoenix Contact is a Germany-based provider of industrial automation, connectivity and interface solutions. Its FL switches are used worldwide in sectors such as critical manufacturing, IT, and communications.
Researchers from Positive Technologies discovered that 3xxx, 4xxx and 48xx series switches running a version of the firmware prior to 1.35 are vulnerable to attacks.
Based on their CVSS score, four of the flaws have been assigned a severity rating of “high.” One of them is a cross-site request forgery (CSRF) issue that allows an attacker to conduct unauthorized activities on the device by getting a legitimate user to click on a malicious link.
Another serious vulnerability is related to the lack of a mechanism for preventing automated and repeated attempts to access the user interface. This allows a malicious actor to obtain the username and password for a device’s interface using a brute force attack.
The researchers also noticed that the web interface is accessed by default over HTTP, which allows an MitM attacker to intercept credentials as they travel from the user’s browser to the switch.
An attacker can prevent others from accessing the web interface by initiating over 120 connections, which causes a DoS condition. This prevents not only new connections, but also disrupts existing ones.
The remaining flaws, with a severity rating of “medium,” allow attackers to obtain the device’s default private keys from the firmware and use them for MitM attacks, and cause certificates to be displayed incorrectly by exploiting a weakness in the switch’s security library.
It’s worth mentioning that versions 1.33 and 1.34 of the firmware for Phoenix Contact FL switches also address vulnerabilities discovered by Positive Technologies. Those flaws were disclosed last year in January and May.