WAGO Multiple vulnerabilities in e!DISPLAY products

VDE-2018-010 (2018-07-10 12:50 UTC+0200)

Affected Vendors

WAGO

Affected Products

WAGO e!DISPLAY 762-3000, 762-3001, 762-3002, 762-3003

Vulnerability Type

Mutliple, see Impact

Summary

An unauthenticated user can exploit a vulnerability (CVE-2018-12981) to inject code in the WBM via reflected cross-site scripting (XSS), if he is able trick a user to open a special crafted web site. This could allow an attacker to execute code in the context of the user and execute arbitrary commands with restriction to the permissions of the user. Authenticated users can use a vulnerability to inject code in the WBM via persistent cross-site scripting (XSS) via special crafted requests which will be rendered and/or executed in the browser. Authenticated WBM users can transfer arbitrary files to different file system locations (CVE- 2018-12980) to which the web server has the required permissions and partially allowing replacing existing files due weak file permissions (CVE-2018-12979) which can result in an authentication bypass.

Impact

This advisory is based upon the report of SEC Consult.

CVE-2018-12981

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE- 79)

Severity: 8.0 (CVSS:3.0:AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injecting code within the WBM. The code will be rendered and/or executed in the browser of the user’s browser.

CVE-2018-12980

Unrestricted Upload of File with Dangerous Type (CWE-434)

Severity: 8.0 (CVSS:3.0:AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.

CVE-2018-12979

Incorrect Permission Assignment for Critical Resource (CWE-732)

Severity: 7.5 (CVSS:3.0:AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.

Solution

Update your device to the latest firmware (FW 02). In case this is not feasible limit the access to trusted users and devices.

For details on how to obtain the new firmware, please send a request by email to support@wago.com.

Reported by

T. Weber of SEC-Consult found multiple vulnerabilities in WAGO e!DISPLAY devices and reported them to CERT@VDE.

CERT@VDE coordinated this release with WAGO and SEC-Consult.

Reference URLs

SEC-Consult Advisory: Link
WAGO Advisory: Link