CVE-2020-12523 : On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional

On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource

Published 2020-12-17 23:15:13

Updated 2020-12-21 14:16:12

Source CERT VDE

View at NVD, CVE.org

Products affected by CVE-2020-12523

Phoenixcontact » Tc Mguard Rs4000 4g Vzw Vpn Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:tc_mguard_rs4000_4g_vzw_vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Tc Mguard Rs4000 4g Vzw Vpn » Version: N/A
Phoenixcontact » Tc Mguard Rs4000 4g Att Vpn Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:tc_mguard_rs4000_4g_att_vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Tc Mguard Rs4000 4g Att Vpn » Version: N/A
Phoenixcontact » Fl Mguard Rs4004 Tx/dtx Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:fl_mguard_rs4004_tx\/dtx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Mguard Rs4004 Tx/dtx » Version: N/A
Phoenixcontact » Fl Mguard Rs4004 Tx/dtx Vpn Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:fl_mguard_rs4004_tx\/dtx_vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Mguard Rs4004 Tx/dtx Vpn » Version: N/A
Phoenixcontact » Tc Mguard Rs4000 3g Vpn Firmware » Version: N/A
cpe:2.3:o:phoenixcontact:tc_mguard_rs4000_3g_vpn_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Tc Mguard Rs4000 3g Vpn » Version: N/A
Phoenixcontact » Tc Mguard Rs4000 4g Vpn Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:tc_mguard_rs4000_4g_vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Tc Mguard Rs4000 4g Vpn » Version: N/A
Phoenixcontact » Innominate Mguard Rs4000 4tx/tx Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:innominate_mguard_rs4000_4tx\/tx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Innominate Mguard Rs4000 4tx/tx » Version: N/A
Phoenixcontact » Innominate Mguard Rs4000 4tx/tx Vpn Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:innominate_mguard_rs4000_4tx\/tx_vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Innominate Mguard Rs4000 4tx/tx Vpn » Version: N/A
Phoenixcontact » Innominate Mguard Rs4000 4tx/3g/tx Vpn Firmware
Versions before (<) 8.8.3
cpe:2.3:o:phoenixcontact:innominate_mguard_rs4000_4tx\/3g\/tx_vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Innominate Mguard Rs4000 4tx/3g/tx Vpn » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-12523

EPSS FAQ

0.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 56 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-12523

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L	2.8	2.5	CERT VDE
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: Low
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High

CWE ids for CVE-2020-12523

CWE-909 Missing Initialization of Resource

The product does not initialize a critical resource.
Assigned by:
- info@cert.vde.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2020-12523

https://cert.vde.com/en-us/advisories/vde-2020-046

PHOENIX CONTACT: mGuard products missing initialization of resource — English (USA)
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-12523

Products affected by CVE-2020-12523

Exploit prediction scoring system (EPSS) score for CVE-2020-12523

CVSS scores for CVE-2020-12523

CWE ids for CVE-2020-12523

References for CVE-2020-12523