Network kit biz Phoenix takes heat as flaws may leave industrial control system security in ashes

Oil, gas, maritime systems affected by latest bug findings

By Shaun Nichols in San Francisco


Companies running a popular brand of industrial Ethernet switch are being advised to update their firmware ASAP following a series of bug disclosures.

Security house Positive Technologies took credit today for the discovery of six CVE-listed security vulnerabilities in the Phoenix Contact FL Switch 3xxx, 4xxx, and 48xx industrial control switches. The flaws are addressed in firmware versions 1.35 or newer.

Among the now-patched flaws were several Positive described as "critical" security risks that could be exploited to knock vulnerable devices offline or pull off man-in-the-middle attacks.

"Successful exploitation of these weaknesses has the potential to cause disruption, or even total interruption, of ICS operations," Positive Technologies SCADA research analyst Paolo Emiliani said in the company's write-up of the issue.

"An attacker can intercept user credentials and then re-configure a switch to disable its ports, resulting in failure of network communication between ICS components."

These are particularly serious bugs given where many of the vulnerable network switches are used. Positive says the Contact FL line is particularly popular for oil and energy facilities, as well as maritime systems, where a controller breakdown would be a major headache.

All of the vulnerabilities were discovered and privately reported by researchers Evgeny Druzhinin, Ilya Karpov, and Georgy Zaytsev.

Two of the more series flaws were CVE-2018-13993, a cross-site request forgery that would let an attacker use the web interface to control a vulnerable switch and send arbitrary commands, and CVE-2018-13990, a brute force vulnerability caused by the switch not having a timeout period between login attempts.

Yes, you can remotely hack factory, building site cranes. Wait, what?


CVE-2018-13992 is a possible password theft vulnerability caused by the switch transmitting login information over its web interface as plain text, while CVE-2018-13991 is a man-in-the-middle flaw that could allow an attacker to harvest encryption keys.

Two other bugs, CVE-2018-13994 and CVE-2017-3735 are denial of service vulnerabilities caused by a buffer error and the web interface not properly limiting the number of possible connections.

All of the bugs can be patched by updating the switch's firmware to the latest build (in this case 1.35 or later). Those downloads can be found on the managed switch products page on Phoenix's website. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Reach out for the healing hands... of guru Dabbs

Something for the Weekend, Sir? I command you IT devil... get out!

I used to be a dull John Doe. Thanks to Huawei, I'm now James Bond!

Something for the Weekend, Sir? We'll know for sure when Huawei reveals a shoe-shaped smartphone

Loose tongues and oily seamen: Lost in machine translation yet again

Something for the Weekend, Sir? While I’m at it, another punch at Bitcoin

Sex and drugs and auto-tune: What motivates a millennial perp?

Something for the Weekend, Sir? One for the money, two for the blow

Summer vacations put an end to rampant desktop crimewave

Something for the Weekend, Sir? At last I feel infused with the write stuff

Take my advice and stop using Rubik's Cubes to prove your intelligence

Something for the Weekend, Sir? Let the Blue Peter vs Magpie wars recommence!

Those darn users don't know what they're doing (not like us, of course)

Something for the Weekend, Sir? Click on the toothbrush, toggle the flange and press 'Harp'. It's obvious

There's a reason why my cat doesn't need two-factor authentication

Something for the Weekend, Sir? A rinky tinky tinky

Lip-reading smart speakers: Just what no one always wanted

Something for the Weekend, Sir? Enjoy the silence... while you still can

Polygraph knows all: You've been using our user feedback form

Something for the Weekend, Sir? Tell me lies, tell me sweet little lies...