WAGO Undocumented service access in Series 750-88x and 750-87x devices

VDE-2019-008 (2019-04-12 08:00 UTC+0100)

CVE Identifier

CVE-2019-10712

Affected Vendors

WAGO

Affected Products

Series 750-88x:

Product Firmware
750-330 <FW14
750-352/... <FW14
750-829 <FW14
750-831 <FW14
750-852 <FW14
750-880/... <FW14
750-881 <FW14
750-882 <FW14
750-884/... <FW14
750-885 <FW14
750-889 <FW14

Series 750-87x:

Product Firmware
750-830 <FW06
750-849 <FW08
750-871 <FW11
750-872 <FW07
750-873 <FW07

Vulnerability Type

Use of Hard-coded Credentials (CWE-798)

Summary

The reported vulnerability allows a remote attacker to change the settings or exchange the application of the device.

Impact

By exploiting the undocumented service access, it is possible to change the settings of a device. The service access user has access to the web based management with administrator privileges. This can be potentially used to lock other users out from the device or to open closed network ports. It is also possible to use this service access as FTP user and exchange or delete the application.

Solution

Update your device to the latest firmware:

Device Firmware
750-330 >= FW 14
750-352/... >= FW 14
750-829 >= FW 14
750-831/... >= FW 14
750-852 >= FW 14
750-880/...  >= FW 14
750-881 >= FW 14
750-882 >= FW 14
750-884/... >= FW 14
750-885/... >= FW 14
750-889 >= FW 14
750-830 >= FW 06
750-871 >= FW 11
750-872 >= FW 07
750-873  >= FW 07
750-849 >= FW 08

Mitigation

  • Restrict network access to the web server.
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Reported by

Reported by Jörn Schneeweisz / Recurity Labs to CERT-Bund

coordinated by CERT@VDE