Security Advisory for the FL MGUARD family of devices

Advisory Information

• Advisory ID: BOSCH-SA-833074
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2022-4304
    • Base Score: 5.9 (Medium)
  • CVE-2023-2673
    • Base Score: 5.8 (Medium)
• Published: 04 Jul 2023
• Last Updated: 04 Jul 2023

Summary

The FL MGUARD family devices sold by Bosch Rexroth are devices from Phoenix Contact that have been introduced as trade goods. A security advisory has been published by the manufacturer, which indicates that the devices are affected by two vulnerabilities regarding RSA decryption and MAC filtering. [1]

Affected Products

• Rexroth FL MGUARD DELTA TX/T& (R911173817)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS2000 4G & (R913066122)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS2000 TX/& (R913056204)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS2000 TX/& (R913058931)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS4000 TX/& (R901351745)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS4000 TX/& (R911173814)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS4004 TX/& (R913050362)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD RS4004 TX/& (R913051602)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth FL MGUARD SMART2 VPN (R911173818)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth TC MGUARD RS2000 3G & (R911173815)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth TC MGUARD RS4000 3G & (R911173816)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1
• Rexroth TC MGUARD RS4000 4G & (R901541498)
  • CVE-2022-4304, CVE-2023-2673
    • Version(s): < 8.9.1

Solution and Mitigations

Update to the latest released versions

The vulnerabilities is fixed in firmware version 8.9.1. We strongly recommend all
affected users to upgrade to this or a later version.

Mitigation

CVE-2022-4304: Do not use RSA based ciphers for encryption of network traffic, use cipher
suites with forward secrecy for TLS or IPsec communication and renew vulnerable certificates
frequently.
CVE-2023-2673: Configure the incoming IPv4 packet filter carefully to protect clients from
potentially malicious UDP packets.

Compensatory measures

Compensatory measures are recommended which mitigate the risk. Always define such compensatory measures individually, in the context of the operational environment. Some measures are described in the “Security Guideline Electric Drives and Controls” [2], for example the network segmentation. In general, it is mandatory to implement the measures described in the “Security Guideline Electric Drives and Controls”.

Vulnerability Details

CVE-2022-4304

CVE description: A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

• Problem Type:
  • Timing based side channel attack
• CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Base Score: 5.9 (Medium)

CVE-2023-2673

CVE description: Improper Input Validation vulnerability in PHOENIX CONTACT FL/TC MGUARD Family in multiple versions may allow UDP packets to bypass the filter rules and access the solely connected device behind the MGUARD which can be used for flooding attacks.

• Problem Type:
  • CWE-20 Improper Input Validation
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
  • Base Score: 5.8 (Medium)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Security Advisory for the FL MGUARD family of devices: https://dam-mdc.phoenixcontact.com/asset/156443151564/6d4cfd9c39df5147a93b66411432b990/Security_Advisory-CVE-2022-4304_CVE-2023-2673.pdf
• [2] Security Guideline Electric Drives and Controls: https://www.boschrexroth.com/de/de/myrexroth/media-directory-download?object_nr=R911342562

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 04 Jul 2023: Initial Publication