CVE-2024-43387

Q: What is the severity of CVE-2024-43387?

CVE-2024-43387 has a CVSS score of 8.8 (HIGH). A low-privileged remote attacker can read and write files as root on mGuard devices due to improper input sanitization of the EMAIL_RELAY_PASSWORD variable. This allows privilege escalation to root access. Organizations using affected mGuard devices are vulnerable.

8.8 HIGH

📋 TL;DR

A low-privileged remote attacker can read and write files as root on mGuard devices due to improper input sanitization of the EMAIL_RELAY_PASSWORD variable. This allows privilege escalation to root access. Organizations using affected mGuard devices are vulnerable.

💻 Affected Systems

Products:

Phoenix Contact mGuard devices

Versions: All versions prior to firmware version 8.10.0

Operating Systems: Embedded Linux on mGuard hardware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with email relay functionality configured. The vulnerability exists in how the EMAIL_RELAY_PASSWORD variable is processed.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing installation of persistent backdoors, data exfiltration, and use as pivot point into internal networks.

🟠

Likely Case

Attackers gain root privileges to steal credentials, modify configurations, or disrupt network security functions.

🟢

If Mitigated

Limited to isolated network segments with strict access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - mGuard devices are often deployed as perimeter security devices directly exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers with low privileges could exploit this to gain root access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires low-privileged access first. The CWE-78 (OS Command Injection) nature suggests straightforward exploitation once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 8.10.0

Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2024-039

Restart Required: Yes

Instructions:

1. Download firmware 8.10.0 from Phoenix Contact support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Disable email relay functionality

all

Remove or disable email relay configuration to eliminate the vulnerable code path

Login to mGuard web interface
Navigate to System > Email
Remove email relay server configuration
Save changes

Restrict network access

all

Limit access to mGuard management interfaces to trusted IP addresses only

Configure firewall rules to restrict access to mGuard management IP/ports
Allow only from specific management networks

🧯 If You Can't Patch

Isolate mGuard devices in separate VLAN with strict network segmentation
Implement multi-factor authentication and strong credential policies for all user accounts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Information. Versions below 8.10.0 are vulnerable.

Check Version:

ssh admin@mgurard-ip 'cat /etc/version' or check web interface System > Information

Verify Fix Applied:

Confirm firmware version is 8.10.0 or higher in System > Information page.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in system logs
Unexpected privilege escalation events
Suspicious commands executed with root privileges

Network Indicators:

Unusual outbound connections from mGuard devices
Unexpected SSH or management traffic patterns

SIEM Query:

source="mgurard-logs" AND (event="privilege_escalation" OR event="file_access" AND user="root")

📊 Metadata

CVE ID: CVE-2024-43387

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 10, 2024

Last Updated: September 27, 2024

🔗 References

https://cert.vde.com/en/advisories/VDE-2024-039 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fl Mguard 2102 Firmware by Phoenixcontact

Fl Mguard 2105 Firmware by Phoenixcontact

Fl Mguard 4102 Pci Firmware by Phoenixcontact

Fl Mguard 4102 Pcie Firmware by Phoenixcontact

Fl Mguard 4302 Firmware by Phoenixcontact

Fl Mguard 4305 Firmware by Phoenixcontact

Fl Mguard Centerport Vpn 1000 Firmware by Phoenixcontact

Fl Mguard Core Tx Firmware by Phoenixcontact

Fl Mguard Core Tx Vpn Firmware by Phoenixcontact

Fl Mguard Delta Tx\/tx Firmware by Phoenixcontact

Fl Mguard Delta Tx\/tx Vpn Firmware by Phoenixcontact

Fl Mguard Gt\/gt Firmware by Phoenixcontact

Fl Mguard Gt\/gt Vpn Firmware by Phoenixcontact

Fl Mguard Pci4000 Firmware by Phoenixcontact

Fl Mguard Pci4000 Vpn Firmware by Phoenixcontact

Fl Mguard Pcie4000 Firmware by Phoenixcontact

Fl Mguard Pcie4000 Vpn Firmware by Phoenixcontact

Fl Mguard Rs2000 Tx\/tx B Firmware by Phoenixcontact

Fl Mguard Rs2000 Tx\/tx Vpn Firmware by Phoenixcontact

Fl Mguard Rs2005 Tx Vpn Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx M Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx P Firmware by Phoenixcontact

Fl Mguard Rs4000 Tx\/tx Vpn Firmware by Phoenixcontact

Fl Mguard Rs4004 Tx\/dtx Firmware by Phoenixcontact

Fl Mguard Rs4004 Tx\/dtx Vpn Firmware by Phoenixcontact

Fl Mguard Smart2 Firmware by Phoenixcontact

Fl Mguard Smart2 Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 3g Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 4g Att Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 4g Vpn Firmware by Phoenixcontact

Tc Mguard Rs2000 4g Vzw Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 3g Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 4g Att Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 4g Vpn Firmware by Phoenixcontact

Tc Mguard Rs4000 4g Vzw Vpn Firmware by Phoenixcontact