Product Security Incident Response Team

Product Security Incident Response Team

Improve product security: Exchange vulnerability-related information about Phoenix Contact products with us.

Welcome the Website of the Phoenix Contact Product Security Incident Response Team (PSIRT). The Phoenix Contact PSIRT is the central team for Phoenix Contact as well as for its subsidiaries, authorized to respond to potential security vulnerabilities, incidents and other security issues related to Phoenix Contact products, solutions as well as services.

Phoenix Contact PSIRT manages the disclosure, investigation internal coordination and publishes security advisories for confirmed vulnerabilities where mitigations/fixes are available.

We actively encourage security researchers and other parties who detect potential security issues in Phoenix Contact products, solutions and services to contact the Phoenix Contact PSIRT to discuss and coordinate activities, in a joint-effort to increase the security posture for Phoenix Contact and its customers.

Recent security advisories

This section of the Phoenix Contact PSIRT website contains all recent security advisories that were issued by Phoenix Contact PSIRT.

Description Language Updated
Security Advisory for Phoenix Contact WLAN enabled devices utilizing WPA2 encryption [PDF, 78 KB]
WLAN Products
English 28.09.2018
Denial of Service due to incorrect handling of web request [PDF, 62 KB]
AXL F BK PN, AXL F BK ETH, AXL F BK ETH XC
English
Operation of the PLC can be slowed down by network flooding [PDF]
ILC 131, 151, 171, 191 ETH
English 20.09.2018
Stack Buffer Overflows in Shared Object File [PDF, 61 KB]
FL SWITCH 3xxx, FL SWITCH 4xxx, FL SWITCH 48xx
English 11.05.2018
Authenticated Remote Code Execution [PDF, 61 KB]
FL SWITCH 3xxx, FL SWITCH 4xxx, FL SWITCH 48xx
English 11.05.2018
Insecure Direct Object Reference to Read-Only FL SWITCH Configuration File [PDF, 61 KB]
FL SWITCH 3xxx, FL SWITCH 4xxx, FL SWITCH 48xx
English 11.05.2018
Stack-based Buffer Overflow due to improper length check in cookies_get_value function [PDF, 61 KB]
FL SWITCH 3xxx, FL SWITCH 4xxx, FL SWITCH 48xx
English 11.05.2018
Security Advisory addressing Meltdown and Spectre vulnerabilities [PDF, 64 KB]
Several
English 23.03.2018
Improper Validation of Integrity Check Value [PDF, 61 KB]
mGuard
English 29.01.2018
Back to top

Submit a vulnerability

Anyone can submit potential vulnerabilities to Phoenix Contact PSIRT by email. Regardless if you are a Phoenix Contact customer or not, we highly encourage you to report discovered vulnerabilities to us. No confidentiality agreement (NDA) or other contract is required for working with us on vulnerability disclosure. We aim to work with vulnerability reporters professionally on handling any vulnerability claim that is related to Phoenix Contact products, solutions and services.

We highly appreciate coordinated vulnerability reports from any members of the security community such as security researchers, academia, other CERTs, business partners, governmental agencies or any other sources. As some of our components are being deployed as parts of critical systems, we kindly ask to work with us on a coordinated disclosure, avoiding publication until our development groups have created an appropriate fix/mitigation. You may contact us with your vulnerability claims via email.

Back to top

When submitting, please try to include the following information elements in your email as well in order to speed up the handling process:

  • Reporter’s Name: In case you would like to stay anonymous, we respect your interests.
  • Contact details: Email address and phone number under which we may contact you.
  • Affiliation: What is your organizational affiliation (if any)?
  • Vulnerability type submitted: How would you describe the vulnerability type (e.g. XSS, Buffer Overflow, Hardcoded credentials,…)?
  • Vulnerability trigger: Can you provide any proof-of-concept (PoC) exploit code for triggering the vulnerability, alternately network traces (e.g. pcaps) or a description how the vulnerability can be triggered?
  • Vulnerability effects: Did you observe any effects that the vulnerability leads to/induces?
  • Affected components: In which product/solution/service (if available) have you found the vulnerability? Please include any information available to you such as product family / group / firmware / software version. For services, please point out the location (e.g. URL).
  • Confidentiality of vulnerability: Was the vulnerability publicly disclosed already or do you have any concrete disclosure plans?

Phoenix Contact PSIRT guarantees to acknowledge receipt of new vulnerability reports within two business days and thanks all reporting parties for their efforts in working with us on improving the security posture for Phoenix Contact and its customers.

As information about vulnerabilities and vulnerability claims are critical, we prefer to receive this information encrypted. We thereby kindly ask you to use our PGP key to encrypt the information when you report a potential security vulnerability to Phoenix Contact PSIRT.

PGP Key: 94064631
PGP Fingerprint: 2075 33A9 B1E1 929D 8B9A BD18 0602 A718 9406 4631

Getting updates from Phoenix Contact PSIRT

The content of their webpage gets updated as soon as new vulnerability information (e.g. new security
advisories) is available, so please check back regularly. If you would like to make sure you do not miss any
informational updates, you may want to subscribe to our PSIRT Newsletter.

Back to top

Security advisories archive

Description Language Updated
Unauthorized web access to switch parameters [PDF, 34 KB]
FL SWITCH 3xxx, FL SWITCH 4xxx, FL SWITCH 48xx
English 09.01.2018
Ability to see switch information using Monitor Mode [PDF, 34 KB]
FL SWITCH 3xxx, FL SWITCH 4xxx, FL SWITCH 48xx
English 09.01.2018
Cross-site Scripting (XSS) vulnerability in FL COMSERVER products [PDF, 36 KB]
FL COMSERVER
English 25.12.2017
Security Advisory for mGuard Device Manager, mdm [PDF, 64 KB]
mGuard
English 24.08.2017
Remote denial of service vulnerability of the IKE daemon [PDF, 34 KB]
mGuard
English 31.07.2017
Denial of service against IPsec [PDF, 34 KB]
mGuard
English 11.05.2017
Unauthorized User-Firewall login with RADIUS [PDF, 35 KB]
mGuard
English 11.05.2017
Software update changes password to default [PDF, 0.23 MB]
mGuard
English 29.11.2016
LC PLC Webvisit Authentication Vulnerabilities [PDF, 67 KB]
All ILC 1xx PLC’s of Phoenix Contact
English 08.11.2016
Back to top

PHOENIX CONTACT
GmbH & Co. KG

Product Security Incident Response Team

Service


Subscribe to PSIRT news

Dont miss any recent updates and subscribe to the Phoenix Contact PSIRT newsletter.

Subscribe

Unsubscribe PSIRT news

You no longer wish to receive updates from Phoenix Contact PSIRT. Please unsubscribe here.

Unsubscribe

Cooperation

We publish our advisories together with other companies on the VDE CERT Website.

VDE CERT logo
CERT@VDE Website
Referrer: https://www.phoenixcontact.com/online/portal/pi?1dmy&urile=wcm%3apath%3a/pien/web/main/service_and_support/subcategory_pages/Product_security_incident_response_team/c10a013e-bcd2-4247-a15b-641e943fb97f

This website uses cookies, by continuing to browse, you agree to our cookie policy. Read our privacy policy for more information.

Close