Phoenix Contact: Access files due to improper neutralization of special elements in MGUARD devices

Vulnerability

The vulnerability resides in the administrative web interface of Phoenix Contact mGuard devices. Due to improper neutralization of special elements in the EMAIL_RELAY_PASSWORD variable, a low-privileged remote attacker can read and write arbitrary files as root. The affected products include multiple mGuard device models as listed in the vendor advisory [1].

Exploitation

An attacker with low-privileged remote access to the administrative web interface can exploit this flaw by sending crafted HTTP requests that manipulate the EMAIL_RELAY_PASSWORD parameter. The improper neutralization allows the attacker to inject commands or path traversal sequences, enabling file read and write operations with root privileges.

Impact

Successful exploitation grants the attacker the ability to read and write arbitrary files as root, leading to full system compromise. This can result in privilege escalation, disclosure of confidential data, and covert misbehavior within various services on the device [1].

Mitigation

As of the publication date (2024-09-10), no official patch or workaround has been disclosed in the available references. Users are advised to monitor the vendor advisory [1] for updates and restrict network access to the administrative interface as a temporary measure.