WAGO: e!Cockpit cleartext communication and hardcoded key

WAGO e!Cockpit uses a hardcoded key as password to connect to PLCs and uses cleartext communication.

VDE-2020-004 (2020-03-09 11:00 UTC+0200)

Affected Vendors

WAGO

Affected Products

Article Name Article Number Version
Series PFC100 750-81xx/xxx-xxx All FW versions
=> 4 are affected
Series PFC200 750-82xx/xxx-xxx
Touch Panel 600 Standard Line
type Visu- / Control Panel
762-4xxx
Touch Panel 600 Advanced Line
type Visu- / Control Panel
762-5xxx
Touch Panel 600 Marine Line
type Visu- / Control Panel
762-6xxx

Vulnerability Type

Cleartext Transmission of Sensitive Information (CWE-319)

Summary

CVE-2019-5107
CWE-ID: CWE-319: Cleartext Transmission of Sensitive Information
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.

CVE-2019-5106
CWE-ID: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Base Score: 6.2
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The password used by e!Cockpit for authentication against the PLC is encrypted with a hard- coded key. An attacker is able to decrypt the password by listening to the network traffic.

Impact

The vulnerabilities allow an attacker which has access to the network communication between e!Cockpit and the PLC to listen, manipulate, or drop any information they choose from the corresponding communication.

Solution

Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends to disable the TCP Port 11740 and UDP Port 1740 after commissioning or to use an encrypted VPN connection to the device.

Mitigation

  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet
  • Use an encrypted VPN connection to the device
  • Disable unused TCP/UDP-ports

Reported by

These vulnerabilities were reported by Nico Jansen of FH Aachen and Carl Hurd of Cisco Talos to WAGO.
Coordination done by CERT@VDE.