Share: Email | Twitter
This advisory has no CVE assigned.

ID

VDE-2018-013

Published

2018-08-17 11:45 (CEST)

Last update

2018-08-17 11:45 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-8100 (Controller PFC100) <= 02.05.23(08)
750-831 (Controller BACnet/IP) <= 01.02.29(09)
750-880 (Controller ETH) <= 01.07.03(10)
750-889 (Controller KNX IP) <= 01.07.13(10)

Weakness

Uncontrolled Resource Consumption (CWE-400)

Summary

The 750-8xx controller are susceptible to a Denial-of-Service attack due to a flood of network packets.

Please consult the original paper for details (link at the bottom of this advisory).

Impact

High network load can consume CPU power in such a way that the normal operation of the device can be affected, i.e. the configured cycle time can be influenced. After high network load is removed, the device continues to operate in normal mode.


Solution

We recommend to operate the devices in closed networks or protect with a firewall against unauthorized access. Another, recommended mitigation is to limit the network traffic via the switch rate limit feature according to your application needs.

The switch rate limit can be configured e.g. via Web based Management to minimize the effect of high network load:

750-8xx: Ethernet > "Misc. Configuration" > "internal Port" > "Output Limit Rate"

750-8xxx: Network > Ethernet > „Switch Configuration“ > „Rate Limit“

Please also consult the product manuals as this is a known problem for some devices:

750-880

Go to https://www.wago.com/de/sps/controller-ethernet/p/750-880
Select "Downloads"
In section "Dokumentation" choose "ETHERNET Programmierbarer Feldbuscontroller 10 / 100 Mbit/s; digitale und analoge Signale V 2.3.0, 03.08.2016" and select your language for the manual.
See section 9.3: Functional Restrictions and Limits

750-889

Go to https://www.wago.com/de/sps/controller-ethernet/p/750-889
Select "Downloads"
In section "Dokumentation" choose "Controller KNX IP KNX IP Controller V 1.0.2, 04.10.2016" and select your language for the manual.
See section 10.4: Functional Restrictions and Limits

750-831

Go to https://www.wago.com/de/sps/controller-ethernet/p/750-831
Select "Downloads"
In section "Dokumentation" choose "BACnet/IP Programmierbarer Feldbuscontroller 10/100 Mbit/s; digitale und analoge Signale V 1.2.1, 20.02.2017" and select your language for the manual.
See section 9.5: Functional Restrictions and Limits

Reported by

This vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin) and Florian Fischer (Hochschule Augsburg)

https://www.usenix.org/system/files/conference/woot18/woot18-paper-niedermaier.pdf