CVE-2024-43385

Q: What is the severity of CVE-2024-43385?

CVE-2024-43385 has a CVSS score of 8.8 (HIGH). This vulnerability allows low-privileged remote attackers to execute arbitrary operating system commands as root on affected mGuard devices. Attackers can exploit improper input sanitization in the PROXY_HTTP_PORT variable to gain complete system control. Organizations using vulnerable mGuard devices are affected.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows low-privileged remote attackers to execute arbitrary operating system commands as root on affected mGuard devices. Attackers can exploit improper input sanitization in the PROXY_HTTP_PORT variable to gain complete system control. Organizations using vulnerable mGuard devices are affected.

💻 Affected Systems

Products:

Phoenix Contact mGuard devices

Versions: All versions prior to the fix

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with web management interface accessible are vulnerable. The vulnerability exists in the proxy configuration component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to internal networks, or render devices inoperable.

🟠

Likely Case

Attackers gain root shell access to compromise the device, potentially using it as a foothold for lateral movement within the network or to intercept/modify network traffic.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the compromised device, though root access still allows significant damage to that system.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires low-privileged access but exploitation is straightforward once authenticated. The CWE-78 (OS command injection) pattern is well-understood by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2024-039

Restart Required: Yes

Instructions:

1. Access mGuard web interface. 2. Navigate to firmware update section. 3. Download latest firmware from Phoenix Contact support portal. 4. Upload and apply firmware update. 5. Reboot device after update completes.

🔧 Temporary Workarounds

Restrict network access

all

Limit access to mGuard management interface to trusted IP addresses only

Configure firewall rules to restrict access to mGuard management ports (typically 443/HTTPS)

Disable unnecessary proxy features

all

Disable proxy functionality if not required for operations

Navigate to proxy settings in web interface and disable HTTP proxy if not needed

🧯 If You Can't Patch

Implement strict network segmentation to isolate mGuard devices from critical systems
Enable detailed logging and monitoring for suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version against vendor advisory. If version is older than patched version listed in VDE-2024-039, device is vulnerable.

Check Version:

Login to mGuard web interface and check System Information or About page for firmware version

Verify Fix Applied:

Verify firmware version has been updated to patched version and test proxy functionality to ensure commands cannot be injected.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful login
Unexpected proxy configuration changes

Network Indicators:

Unusual outbound connections from mGuard device
Traffic patterns suggesting command-and-control communication

SIEM Query:

source="mguard" AND (event_type="command_execution" OR event_type="proxy_config_change")

📊 Metadata

CVE ID: CVE-2024-43385

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 10, 2024

Last Updated: September 27, 2024

🔗 References

https://cert.vde.com/en/advisories/VDE-2024-039 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fl Mguard 2102 Firmware by Phoenixcontact

Fl Mguard 2105 Firmware by Phoenixcontact

Fl Mguard 4102 Pci Firmware by Phoenixcontact

Fl Mguard 4102 Pcie Firmware by Phoenixcontact

Fl Mguard 4302 Firmware by Phoenixcontact

Fl Mguard 4305 Firmware by Phoenixcontact

Fl Mguard Centerport Vpn 1000 Firmware by Phoenixcontact

Fl Mguard Core Tx Firmware by Phoenixcontact

Fl Mguard Core Tx Vpn Firmware by Phoenixcontact

Fl Mguard Delta Tx\/tx Firmware by Phoenixcontact

Fl Mguard Delta Tx\/tx Vpn Firmware by Phoenixcontact

Fl Mguard Gt\/gt Firmware by Phoenixcontact

Fl Mguard Gt\/gt Vpn Firmware by Phoenixcontact

Fl Mguard Pci4000 Firmware by Phoenixcontact

Fl Mguard Pci4000 Vpn Firmware by Phoenixcontact

Fl Mguard Pcie4000 Firmware by Phoenixcontact

Fl Mguard Pcie4000 Vpn Firmware by Phoenixcontact

Fl Mguard Rs2000 Tx\/tx B Firmware by Phoenixcontact

Fl Mguard Rs2000 Tx\/tx Vpn Firmware by Phoenixcontact

Fl Mguard Rs2005 Tx Vpn Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx M Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx P Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx Vpn Firmware by Phoenixcontact

Fl Mguard Rs4004 Tx\/dtx Firmware by Phoenixcontact

Fl Mguard Rs4004 Tx\/dtx Vpn Firmware by Phoenixcontact

Fl Mguard Smart2 Firmware by Phoenixcontact

Fl Mguard Smart2 Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 3g Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 4g Att Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 4g Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 4g Vzw Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 3g Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 4g Att Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 4g Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 4g Vzw Vpn Firmware by Phoenixcontact