ICSA-19-024-02 · Published 2019-01-24 · View on CISA ICS-CERT ↗

PHOENIX CONTACT FL SWITCH

CVSS 8.8 HIGH

Risk Summary

Successful exploitation of these vulnerabilities may allow attackers to have user privileges, gain access to the switch, read user credentials, deny access to the switch, or perform man-in-the-middle attacks.

CVEs (6)

CVE-2018-13993 CVE-2018-13990 CVE-2018-13992 CVE-2018-13994 CVE-2018-13991 CVE-2017-3735

Remediations

Phoenix Contact recommends that users of FL SWITCH devices with affected firmware versions update the firmware to Version 1.35 or higher, which fixes these vulnerabilities. The updated firmware may be downloaded from the managed switch product page on the Phoenix Contact website. Please see the CERT VDE advisory for these vulnerabilities for the location of the new firmware download for each specific product: https://cert.vde.com/de-de/advisories/vde-2019-001
Phoenix Contact also recommends that users using the Phoenix Contact managed FL SWITCH devices enable HTTP security.

Affected Vendors

PHOENIX CONTACT, Innominate Security Technologies

Affected Products (1)

PHOENIX CONTACT, Innominate Security Technologies · FL SWITCH 3xxx 4xxx and 48xx < 1.35

Affected Sectors

Communications, Critical Manufacturing, Information Technology

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more