VDE-2021-046
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2021-11-10 07:23 - Updated: 2021-11-10 07:23Summary
PHOENIX CONTACT: XSS and memory-leak in FL MGUARD 1102/1105
Notes
Summary: Cross-site scripting in web-based management and memory leak in the remote logging function of FL MGUARD 1102 and FL MGUARD 1105.
CVE-2021-34582:
The file upload functionality in the web-based management is affected by a stored cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). An authenticated FL MGUARD user with Admin or Super Admin role can upload a certificate file on the Basic settings > LDAP page, on the Logs > Remote logging page, or through the REST API. The content of this file is embedded into the corresponding web page, and any
HTML code within the file is rendered when the page is viewed by the same or a different authenticated user.
CVE-2021-34598:
The remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active (CWE-770: Allocation of Resources Without Limits or Throttling).
Impact: CVE-2021-34582:
By embedding a crafted file into the Logs > Remote logging page, an authenticated user with Admin role can read and/or modify settings only accessible to users with Super Admin role (e.g. user settings, LDAP settings). A successful exploit requires that a user with Super Admin role views the Logs > Remote logging page.
A user with Admin role has no access to the settings on the Basic settings > LDAP page, and can therefore exploit the vulnerability only on the Logs > Remote logging page. By embedding a crafted file into the Basic settings > LDAP or Logs > Remote logging page, an authenticated user can modify settings as another user, thereby misrepresenting the identity of the user who made the modifications in the logs. A successful exploit requires the other user to view the Basic settings > LDAP or Logs > Remote logging page.
CVE-2021-34598:
If remote logging is activated, an attacker can cause a high number of events to be logged, which can lead to a system restart.
Mitigation: CVE-2021-34582:
If an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings > LDAP and Logs > Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).
CVE-2021-34598:
To prevent the possibility of an attack, it is recommended to deactivate remote logging.
Remediation: PHOENIX CONTACT recomments to upgrade to firmware version 1.5.1 (or any later version) which fixes both vulnerabitlities.
If the Basic settings > LDAP or Logs > Remote logging page are viewed after the upgrade, an exploit that may have been embedded into these pages is no longer effective.
It is recommended to review all settings for modifications that an untrusted user may have made by exploiting this vulnerability before the upgrade.
It is recommended to mistrust logs (generated before the upgrade) with respect to which user
modified any settings.
In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 the remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active
7.5 (High)
Mitigation
CVE-2021-34582:
If an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings > LDAP and Logs > Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).
CVE-2021-34598:
To prevent the possibility of an attack, it is recommended to deactivate remote logging.
Vendor Fix
PHOENIX CONTACT recomments to upgrade to firmware version 1.5.1 (or any later version) which fixes both vulnerabitlities.
If the Basic settings > LDAP or Logs > Remote logging page are viewed after the upgrade, an exploit that may have been embedded into these pages is no longer effective.
It is recommended to review all settings for modifications that an untrusted user may have made by exploiting this vulnerability before the upgrade.
It is recommended to mistrust logs (generated before the upgrade) with respect to which user
modified any settings.
In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code (XSS) through web-based management or the REST API with a manipulated certificate file.
4.8 (Medium)
Mitigation
CVE-2021-34582:
If an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings > LDAP and Logs > Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).
CVE-2021-34598:
To prevent the possibility of an attack, it is recommended to deactivate remote logging.
Vendor Fix
PHOENIX CONTACT recomments to upgrade to firmware version 1.5.1 (or any later version) which fixes both vulnerabitlities.
If the Basic settings > LDAP or Logs > Remote logging page are viewed after the upgrade, an exploit that may have been embedded into these pages is no longer effective.
It is recommended to review all settings for modifications that an untrusted user may have made by exploiting this vulnerability before the upgrade.
It is recommended to mistrust logs (generated before the upgrade) with respect to which user
modified any settings.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Cross-site scripting in web-based management and memory leak in the remote logging function of FL MGUARD 1102 and FL MGUARD 1105.\n\nCVE-2021-34582:\nThe file upload functionality in the web-based management is affected by a stored cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). An authenticated FL MGUARD user with Admin or Super Admin role can upload a certificate file on the Basic settings \u003e LDAP page, on the Logs \u003e Remote logging page, or through the REST API. The content of this file is embedded into the corresponding web page, and any\nHTML code within the file is rendered when the page is viewed by the same or a different authenticated user.\n\nCVE-2021-34598:\nThe remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active (CWE-770: Allocation of Resources Without Limits or Throttling).",
"title": "Summary"
},
{
"category": "description",
"text": "CVE-2021-34582:\nBy embedding a crafted file into the Logs \u003e Remote logging page, an authenticated user with Admin role can read and/or modify settings only accessible to users with Super Admin role (e.g. user settings, LDAP settings). A successful exploit requires that a user with Super Admin role views the Logs \u003e Remote logging page.\nA user with Admin role has no access to the settings on the Basic settings \u003e LDAP page, and can therefore exploit the vulnerability only on the Logs \u003e Remote logging page. By embedding a crafted file into the Basic settings \u003e LDAP or Logs \u003e Remote logging page, an authenticated user can modify settings as another user, thereby misrepresenting the identity of the user who made the modifications in the logs. A successful exploit requires the other user to view the Basic settings \u003e LDAP or Logs \u003e Remote logging page.\n\nCVE-2021-34598:\nIf remote logging is activated, an attacker can cause a high number of events to be logged, which can lead to a system restart.",
"title": "Impact"
},
{
"category": "description",
"text": "CVE-2021-34582:\nIf an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings \u003e LDAP and Logs \u003e Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).\nCVE-2021-34598:\nTo prevent the possibility of an attack, it is recommended to deactivate remote logging.",
"title": "Mitigation"
},
{
"category": "description",
"text": "PHOENIX CONTACT recomments to upgrade to firmware version 1.5.1 (or any later version) which fixes both vulnerabitlities.\n\nIf the Basic settings \u003e LDAP or Logs \u003e Remote logging page are viewed after the upgrade, an exploit that may have been embedded into these pages is no longer effective. \n\nIt is recommended to review all settings for modifications that an untrusted user may have made by exploiting this vulnerability before the upgrade.\n\nIt is recommended to mistrust logs (generated before the upgrade) with respect to which user\nmodified any settings.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "external",
"summary": "PHOENIX CONTACT advisory overview at CERT@VDE",
"url": "https://certvde.com/de/advisories/vendor/phoenixcontact/"
},
{
"category": "self",
"summary": "VDE-2021-046: PHOENIX CONTACT: XSS and memory-leak in FL MGUARD 1102/1105 - HTML",
"url": "https://certvde.com/en/advisories/VDE-2021-046"
},
{
"category": "self",
"summary": "VDE-2021-046: PHOENIX CONTACT: XSS and memory-leak in FL MGUARD 1102/1105 - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-046.json"
}
],
"title": "PHOENIX CONTACT: XSS and memory-leak in FL MGUARD 1102/1105",
"tracking": {
"aliases": [
"VDE-2021-046"
],
"current_release_date": "2021-11-10T07:23:00.000Z",
"generator": {
"date": "2025-03-21T11:56:27.773Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.21"
}
},
"id": "VDE-2021-046",
"initial_release_date": "2021-11-10T07:23:00.000Z",
"revision_history": [
{
"date": "2021-11-10T07:23:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "FL MGUARD 1102",
"product": {
"name": "FL MGUARD 1102",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"1153079"
]
}
}
},
{
"category": "product_name",
"name": "FL MGUARD 1102",
"product": {
"name": "FL MGUARD 1102",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"1153079"
]
}
}
},
{
"category": "product_name",
"name": "FL MGUARD 1102",
"product": {
"name": "FL MGUARD 1102",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"1153079"
]
}
}
},
{
"category": "product_name",
"name": "FL MGUARD 1105",
"product": {
"name": "FL MGUARD 1105",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"1153078"
]
}
}
},
{
"category": "product_name",
"name": "FL MGUARD 1105",
"product": {
"name": "FL MGUARD 1105",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"1153078"
]
}
}
},
{
"category": "product_name",
"name": "FL MGUARD 1105",
"product": {
"name": "FL MGUARD 1105",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"1153078"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version",
"name": "1.4.0",
"product": {
"name": "Firmware 1.4.0",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "1.4.1",
"product": {
"name": "Firmware 1.4.1",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version",
"name": "1.5.0",
"product": {
"name": "Firmware 1.5.0",
"product_id": "CSAFPID-21003"
}
},
{
"category": "product_version",
"name": "1.5.1",
"product": {
"name": "Firmware 1.5.1",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "PHOENIX CONTACT"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"summary": "Fixed Products"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.4.0 installed on FL MGUARD 1102",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.4.1 installed on FL MGUARD 1102",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.0 installed on FL MGUARD 1102",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.4.0 installed on FL MGUARD 1105",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.4.1 installed on FL MGUARD 1105",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.0 installed on FL MGUARD 1105",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.1 installed on FL MGUARD 1102",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.1 installed on FL MGUARD 1102",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.1 installed on FL MGUARD 1102",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.1 installed on FL MGUARD 1105",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.1 installed on FL MGUARD 1105",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.1 installed on FL MGUARD 1105",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11006"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-34598",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 the remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "CVE-2021-34582:\nIf an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings \u003e LDAP and Logs \u003e Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).\nCVE-2021-34598:\nTo prevent the possibility of an attack, it is recommended to deactivate remote logging.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "PHOENIX CONTACT recomments to upgrade to firmware version 1.5.1 (or any later version) which fixes both vulnerabitlities.\n\nIf the Basic settings \u003e LDAP or Logs \u003e Remote logging page are viewed after the upgrade, an exploit that may have been embedded into these pages is no longer effective. \n\nIt is recommended to review all settings for modifications that an untrusted user may have made by exploiting this vulnerability before the upgrade.\n\nIt is recommended to mistrust logs (generated before the upgrade) with respect to which user\nmodified any settings.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2021-34598"
},
{
"cve": "CVE-2021-34582",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code (XSS) through web-based management or the REST API with a manipulated certificate file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "CVE-2021-34582:\nIf an untrusted user may have exploited the vulnerability, it is recommended to revoke access for that user, and to re-upload the certificates on the Basic settings \u003e LDAP and Logs \u003e Remote logging pages through the REST API (i.e., without viewing these pages in the web-based management).\nCVE-2021-34598:\nTo prevent the possibility of an attack, it is recommended to deactivate remote logging.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "PHOENIX CONTACT recomments to upgrade to firmware version 1.5.1 (or any later version) which fixes both vulnerabitlities.\n\nIf the Basic settings \u003e LDAP or Logs \u003e Remote logging page are viewed after the upgrade, an exploit that may have been embedded into these pages is no longer effective. \n\nIt is recommended to review all settings for modifications that an untrusted user may have made by exploiting this vulnerability before the upgrade.\n\nIt is recommended to mistrust logs (generated before the upgrade) with respect to which user\nmodified any settings.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 4.8,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2021-34582"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…