#VU17214 Security restrictions bypass in Phoenix Contact GmbH Hardware solutions
Vulnerability identifier: #VU17214
Vulnerability risk: Low
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-307
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
FL SWITCH 4004T-8POE-4SFP
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4000T-4POE-1SFP
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3012E-2FX
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4000T-8POE-2SFP-R
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3012E-2FX SM
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4800E-24FX SM-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4800E-24FX-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4824E-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4012T-2GT-2FX ST
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4012T 2GT 2FX
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4808E-16FX SM LC-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4808E-16FX-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4808E-16FX ST-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4808E-16FX SM ST-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4808E-16FX SM-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4808E-16FX LC-4GC
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4008T-2GT-3FX SM
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4008T-2GT-4FX SM
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 4008T-2SFP
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3006T-2FX SM
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3016T
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3016
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3016E
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3012E-2SFX
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3006T-2FX ST
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3006T-2FX
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3008T
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3008
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3004T-FX ST
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3004T-FX
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3005T
Hardware solutions /
Routers & switches, VoIP, GSM, etc
FL SWITCH 3005
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor: Phoenix Contact GmbH
Description
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to lack of a login time-out feature to prevent high-speed automated username and password combination guessing. A remote attacker can conduct brute forcing attack against usernames and passwords and bypass security restrictions.
Mitigation
Update to version 1.35 or later.
Vulnerable software versions
FL SWITCH 4004T-8POE-4SFP: All versions
FL SWITCH 4000T-4POE-1SFP: All versions
FL SWITCH 3012E-2FX: All versions
FL SWITCH 4000T-8POE-2SFP-R: All versions
FL SWITCH 3012E-2FX SM: All versions
FL SWITCH 4800E-24FX SM-4GC: All versions
FL SWITCH 4800E-24FX-4GC: All versions
FL SWITCH 4824E-4GC: All versions
FL SWITCH 4012T-2GT-2FX ST: All versions
FL SWITCH 4012T 2GT 2FX: All versions
FL SWITCH 4808E-16FX SM LC-4GC: All versions
FL SWITCH 4808E-16FX-4GC: All versions
FL SWITCH 4808E-16FX ST-4GC: All versions
FL SWITCH 4808E-16FX SM ST-4GC: All versions
FL SWITCH 4808E-16FX SM-4GC: All versions
FL SWITCH 4808E-16FX LC-4GC: All versions
FL SWITCH 4008T-2GT-3FX SM: All versions
FL SWITCH 4008T-2GT-4FX SM: All versions
FL SWITCH 4008T-2SFP: All versions
FL SWITCH 3006T-2FX SM: All versions
FL SWITCH 3016T: All versions
FL SWITCH 3016: All versions
FL SWITCH 3016E: All versions
FL SWITCH 3012E-2SFX: All versions
FL SWITCH 3006T-2FX ST: All versions
FL SWITCH 3006T-2FX: All versions
FL SWITCH 3008T: All versions
FL SWITCH 3008: All versions
FL SWITCH 3004T-FX ST: All versions
FL SWITCH 3004T-FX: All versions
FL SWITCH 3005T: All versions
FL SWITCH 3005: All versions
External links
http://cert.vde.com/de-de/advisories/vde-2019-001
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
