WAGO: Web-Based Management Authentication Vulnerabilities

Two vulnerabilities were found in Web-Based Management Authentication.

VDE-2020-006 (2020-03-09 11:05 UTC+0200)

Affected Vendors

WAGO

Affected Products

Article Name Article Number Version
Series PFC100 750-81xx/xxx-xxx All FW versions
>= FW5, <= FW14
are affected
Series PFC200 750-82xx/xxx-xxx
Touch Panel 600 Standard Line 762-4xxx
Touch Panel 600 Advanced Line 762-5xxx
Touch Panel 600 Marine Line 762-6xxx

Vulnerability Type

Regular Expression without Anchors (CWE-777)

Summary

With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134 , the password salt can also be extracted.

CVE-2019-5134
CWE-ID: CWE-777: Regular Expression without Anchors
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WAGO PFC100/200 Web-Based Management (WBM) Authentication Regex Information Disclosure Vulnerability.
A specially crafted authentication request can bypass regular expression filters, resulting
in sensitive information disclosure.

CVE-2019-5135
CWE-ID: CWE-208: Information Exposure Through Timing Discrepancy
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WAGO PFC100/200 Web-Based Management (WBM) Authentication Timing Information Disclosure Vulnerability.
The WBM application makes use of a special PHP function which can be exploited to disclose hashed user credentials. An attacker can make a series of unauthenticated requests to exploit this vulnerability.

Impact

These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.

Solution

Update the devices to standard firmware 15 or later versions.

Mitigation

  • Use strong passwords for all user accounts, especially for administrative user accounts on the device.
  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet
  • Disable unused TCP/UDP-ports

Reported by

These vulnerabilities were reported to WAGO by:

  • Daniel Szameitat, innogy SE
  • Jan Hoff, innogy SE
  • Daniel Patrick DeSantis, Cisco Talos
  • Lilith [-_-], Cisco Talos

Coordination done by CERT@VDE.