Fix is in for mGuard Device Manager

Tuesday, September 19, 2017 @ 03:09 PM gHale

Phoenix Contact has an update to mitigate improper access control vulnerabilities for Oracle Java SE in its mGuard Device Manager, according to a report with ICS-CERT.

Device management software for mGuard devices, mGuard Device Manager 1.8.0 and older suffer from the remotely exploitable vulnerability, which Phoenix Contact self-reported.

LOYTEC Mitigates Multiple HMI Holes
Philips Addresses Patient Worn Monitor Holes
mySCADA Fixes myPRO Hole
Fix for Infusion Pump Issues in Jan.

Successful exploitation of these vulnerabilities could allow unauthorized remote access, modification of data, and may allow remote and local users to gain elevated privileges.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.

Improper access control vulnerabilities have been reported for Oracle Java SE, which is provided with Phoenix Contact FL MGUARD DM. According to Oracle, the supported Java versions affected by these vulnerabilities are Java SE: 8u131, 7u141 and 6u151, Java SE Embedded: 8u131, and JRockit: R28.3.14. Phoenix Contact provided FL MGUARD DM 1.8.0 for Windows with Java SE 8u131.

CVE-2017-10102, CVE-2017-10116, CVE-2017-10078, CVE-2017-10115, CVE-2017-10118, CVE-2017-10176, CVE-2017-10198, CVE-2017-10135, CVE-2017-10053, CVE-2017-10108 are the case numbers assigned to these vulnerabilities. The vulnerability has a CVSS v3 base score of 9.0.

For more information on these vulnerabilities, please refer to:
Published advisory of CERT@VDE

Oracle Critical Patch Update Advisory report

The product sees action in the communications, critical manufacturing and information technology sectors. It also sees use on a global basis.

Phoenix Contact recommends all users of the affected product on Windows should update to at least Version The update can occur by executing the installer for Version on a Windows system where the product is installed in Version 1.8.0. The installer is available for download on the product page, in section “Software” on the Downloads tab.

For more information, refer to the document “How to upgrade mGuard device manager” downloaded with the installer.

Phoenix Contact recommends all users of the affected product on Linux should update Java to the latest version. When using the packet source delivered by Phoenix Contact on Ubuntu, this is simply done by using the software updater of the operating system.

Leave a Reply

You must be logged in to post a comment.