CVE-2024-43391
📋 TL;DR
This vulnerability allows low-privileged remote attackers to modify firewall configuration settings through the FW_PORTFORWARDING.SRC_IP environment variable. Attackers can alter packet filtering, forwarding, network access control, or NAT rules, potentially causing denial of service. Systems running affected firewall software with exposed management interfaces are vulnerable.
💻 Affected Systems
- Firewall software from specific vendor (exact product names not specified in provided reference)
📦 What is this software?
Fl Mguard 2102 Firmware by Phoenixcontact
Fl Mguard 2105 Firmware by Phoenixcontact
Fl Mguard 4102 Pcie Firmware by Phoenixcontact
Fl Mguard 4302 Firmware by Phoenixcontact
Fl Mguard 4305 Firmware by Phoenixcontact
Fl Mguard Centerport Vpn 1000 Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Centerport Vpn 1000 Firmware →
Fl Mguard Core Tx Vpn Firmware by Phoenixcontact
Fl Mguard Delta Tx\/tx Firmware by Phoenixcontact
Fl Mguard Delta Tx\/tx Vpn Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Delta Tx\/tx Vpn Firmware →
Fl Mguard Gt\/gt Firmware by Phoenixcontact
Fl Mguard Gt\/gt Vpn Firmware by Phoenixcontact
Fl Mguard Pci4000 Vpn Firmware by Phoenixcontact
Fl Mguard Pcie4000 Vpn Firmware by Phoenixcontact
Fl Mguard Rs2000 Tx\/tx B Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Rs2000 Tx\/tx B Firmware →
Fl Mguard Rs2000 Tx\/tx Vpn Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Rs2000 Tx\/tx Vpn Firmware →
Fl Mguard Rs2005 Tx Vpn Firmware by Phoenixcontact
Fl Mguard Rs4000 Tx\/tx Firmware by Phoenixcontact
Fl Mguard Rs4000 Tx\/tx M Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Rs4000 Tx\/tx M Firmware →
Fl Mguard Rs4000 Tx\/tx P Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Rs4000 Tx\/tx P Firmware →
Fl Mguard Rs4000 Tx\/tx Vpn Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Rs4000 Tx\/tx Vpn Firmware →
Fl Mguard Rs4004 Tx\/dtx Firmware by Phoenixcontact
Fl Mguard Rs4004 Tx\/dtx Vpn Firmware by Phoenixcontact
View all CVEs affecting Fl Mguard Rs4004 Tx\/dtx Vpn Firmware →
Fl Mguard Smart2 Firmware by Phoenixcontact
Fl Mguard Smart2 Vpn Firmware by Phoenixcontact
Tc Mguard Rs2000 3g Vpn Firmware by Phoenixcontact
Tc Mguard Rs2000 4g Att Vpn Firmware by Phoenixcontact
View all CVEs affecting Tc Mguard Rs2000 4g Att Vpn Firmware →
Tc Mguard Rs2000 4g Vpn Firmware by Phoenixcontact
Tc Mguard Rs2000 4g Vzw Vpn Firmware by Phoenixcontact
View all CVEs affecting Tc Mguard Rs2000 4g Vzw Vpn Firmware →
Tc Mguard Rs4000 3g Vpn Firmware by Phoenixcontact
Tc Mguard Rs4000 4g Att Vpn Firmware by Phoenixcontact
View all CVEs affecting Tc Mguard Rs4000 4g Att Vpn Firmware →
Tc Mguard Rs4000 4g Vpn Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete firewall rule manipulation leading to network-wide DoS, unauthorized network access, or redirection of traffic through attacker-controlled paths.
Likely Case
Targeted DoS against specific services or network segments through firewall rule modifications that block legitimate traffic.
If Mitigated
Limited impact with proper network segmentation and access controls preventing low-privileged users from reaching firewall management interfaces.
🎯 Exploit Status
Exploitation requires low-privileged access but is straightforward through environment variable manipulation. No public exploit code identified in provided reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2024-039
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected versions. 2. Apply vendor-provided security patches. 3. Restart firewall services. 4. Verify patch application through version checking.
🔧 Temporary Workarounds
Restrict Firewall Management Access
linuxLimit access to firewall configuration interfaces to authorized administrators only
# Configure firewall rules to restrict management interface access
# Example: iptables -A INPUT -p tcp --dport [management_port] -s [trusted_network] -j ACCEPT
# iptables -A INPUT -p tcp --dport [management_port] -j DROP
Environment Variable Sanitization
linuxImplement input validation for FW_PORTFORWARDING.SRC_IP variable
# Add validation in firewall configuration scripts
# Example: validate_ip() { [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && return 0 || return 1; }
# Use: validate_ip "$FW_PORTFORWARDING.SRC_IP" || exit 1
🧯 If You Can't Patch
- Implement strict network segmentation to isolate firewall management interfaces
- Deploy network monitoring to detect unauthorized firewall configuration changes
🔍 How to Verify
Check if Vulnerable:
Check if system runs affected firewall software version and has vulnerable configuration exposedCheck Version:
# Check firewall software version - command varies by vendor
# Example: firewall-cmd --version or systemctl status firewall-serviceVerify Fix Applied:
Verify patch version matches vendor's fixed release and test firewall configuration changes from low-privileged accounts📡 Detection & Monitoring
Log Indicators:
- Unauthorized firewall configuration changes
- Unexpected modifications to iptables/nftables rules
- Failed authentication attempts to firewall management interfaces
Network Indicators:
- Unusual traffic patterns suggesting firewall rule manipulation
- Unexpected port forwarding or NAT changes
SIEM Query:
firewall_config_change OR iptables_modification OR port_forwarding_alert