CVE-2021-34598
📋 TL;DR
This vulnerability affects Phoenix Contact FL MGUARD 1102 and 1105 devices when remote logging is enabled. It causes memory exhaustion due to improper memory release in syslog-ng, potentially leading to denial of service. Organizations using these industrial security devices with remote logging active are affected.
💻 Affected Systems
- Phoenix Contact FL MGUARD 1102
- Phoenix Contact FL MGUARD 1105
📦 What is this software?
Fl Mguard 1102 Firmware by Phoenixcontact
Fl Mguard 1102 Firmware by Phoenixcontact
Fl Mguard 1102 Firmware by Phoenixcontact
Fl Mguard 1105 Firmware by Phoenixcontact
Fl Mguard 1105 Firmware by Phoenixcontact
Fl Mguard 1105 Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash and denial of service, disrupting industrial network security functions and potentially causing operational downtime in critical infrastructure.
Likely Case
Gradual performance degradation leading to eventual device instability or reboot, interrupting network security monitoring and logging capabilities.
If Mitigated
Minimal impact if remote logging is disabled or devices are patched, maintaining normal device functionality.
🎯 Exploit Status
Exploitation requires remote logging to be enabled and would involve sending syslog traffic to trigger the memory leak. No authentication bypass is needed if network access to logging port is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.5.1 or later
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2021-046/
Restart Required: Yes
Instructions:
1. Download firmware update from Phoenix Contact support portal. 2. Backup device configuration. 3. Upload and apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify version is 1.5.1 or later.
🔧 Temporary Workarounds
Disable Remote Logging
allTemporarily disable remote syslog functionality to prevent memory exhaustion
# Via web interface: Navigate to System > Logging > Remote Logging and disable
# Via CLI: configure system logging remote disable
Restrict Syslog Network Access
linuxLimit network access to syslog port (typically UDP 514) to trusted sources only
# Configure firewall rules to restrict access to syslog port
iptables -A INPUT -p udp --dport 514 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p udp --dport 514 -j DROP
🧯 If You Can't Patch
- Disable remote logging functionality immediately
- Implement network segmentation to isolate affected devices from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check device version via web interface (System > Information) or CLI command 'show version'. If version is 1.4.0, 1.4.1, or 1.5.0 AND remote logging is enabled, device is vulnerable.Check Version:
show versionVerify Fix Applied:
Verify device version is 1.5.1 or later and monitor system memory usage during remote logging operations for stability.📡 Detection & Monitoring
Log Indicators:
- Repeated device reboots
- High memory usage warnings in system logs
- Syslog-ng process crashes or restarts
Network Indicators:
- Unusual volume of syslog traffic to affected devices
- Device becoming unresponsive to network requests
SIEM Query:
source="mgard*" AND (event_type="system_reboot" OR memory_usage>90) OR (process="syslog-ng" AND status="crashed")