Headline
CVE-2021-34579: VDE-2021-035 | CERT@VDE
In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.
2021-08-11 09:59 (CEST) VDE-2021-035
PHOENIX CONTACT: FL MGUARD DM version 1.12.0 and 1.13.0 Improper Privilege Management
Share: Email | Twitter
Published
2021-08-11 09:59 (CEST)
Last update
2021-08-11 09:59 (CEST)
Vendor(s)
PHOENIX CONTACT GmbH & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
2981974
FL MGUARD DM
= 1.12.0
2981974
FL MGUARD DM
= 1.13.0
Summary
Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.
CVE ID
Severity
Weakness
Improper Privilege Management (CWE-269)
Summary
In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.
Source
Impact
Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.
Solution
Stop the ApacheMDM Windows service.
Edit file <mdm>/apache/conf/extra/httpd-mdm.conf and remove the instances of these lines for “DocumentRoot” and alias “/atv”:
Controls who can get stuff from this server.
<mdm> refers to the directory in which FL MGUARD DM is installed.
- Start the ApacheMDM Windows service.
Remediation
This vulnerability is fixed in FL MGUARD DM 1.13.0.1. We advise all affected FL MGUARD DM 1.12.0 and 1.13.0 users to upgrade to FL MGUARD DM 1.13.0.1 or a later version.
Additional recommendations:
- Limit network access to the Apache web server to as few network addresses as possible.
- If possible, make use of encrypted mGuard configuration profiles.
Reported by
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.