WAGO: Cloud Connectivity Multiple Vulnerabilities

Wago Cloud Connectivity is prone to multiple vulnerabilities

VDE-2020-008 (2020-03-09 10:15 UTC+0100)

Affected Vendors

WAGO

Affected Products

Article Name Article Number Version
Series PFC100 750-81xx/xxx-xxx All FW versions
=> 11 are affected
Series PFC200 750-82xx/xxx-xxx
Touch Panel 600 Standard Line
type Visu- / Control Panel
762-4xxx
Touch Panel 600 Advanced Line
type Visu- / Control Panel
762-5xxx
Touch Panel 600 Marine Line
type Visu- / Control Panel
762-6xxx

Vulnerability Type

Improper Neutralization of Special Elements used in an OS Command (CWE-78)

Summary

The Cloud Connectivity of the WAGO PLCs is used to connect the device with the cloud services from different providers. It also supports maintenance functionality with the firmware update function from the WAGO cloud.
An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability:

WAGO Cloud Connectivity Improper Host Validation Vulnerability
CVE-2019-5160
CWE-ID: CWE-284: Improper Access Control
Base Score: 7.2 
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The attacker who is in possession of a rogue implementation of the WAGO cloud setup on Microsoft AZURE, is able to modify the devices cloud connection configuration in a way, that the device will listen to commands issued from the rogue cloud Implementation.
This allows an attacker to gain access to these restricted commands by configuring the Cloud Connectivity application hostname to point to an attacker controlled Azure IoT Hub instance. Since a generic Azure IoT Hub certificate is contained within the ca-certificates used by the device, any Azure IoT Hub node will be trusted.

WAGO Cloud Connectivity Multiple Command Injection Vulnerabilities
CVE-2019-5155
CWE-ID: CWE-78: Improper Neutralization of Special Elements used in an OS Command
Base Score: 7.2
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
In case an attacker was able to exploit CVE-2019-5160 successfully, the attacker would be able to issue manipulated firmware update commands from the rogue cloud instance to manipulate the device.
An attacker can inject OS commands into any of the parameter values contained in the Firmware Update command.

WAGO Cloud Connectivity Timeout Prepared Command Injection Vulnerability 
CVE-2019-5156
CWE-ID: CWE-78: Improper Neutralization of Special Elements used in an OS Command 
Base Score: 7.2
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An attacker can inject OS commands into the Timeout Prepared parameter value contained in the Firmware Update command.

WAGO Cloud Connectivity Timeout Unconfirmed Command Injection Vulnerability
CVE-2019-5157
CWE-ID: CWE-78: Improper Neutralization of Special Elements used in an OS Command
Base Score: 7.2
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An attacker can inject OS commands into the Timeout Unconfirmed parameter value contained in the Firmware Update command.

Impact

These vulnerabilities allow an attacker which has admin privileges, an Azure cloud account and access to the device to redirect the cloud connection. With thus he is able to get sensitive data.

Solution

Use strong passwords for all user accounts, especially for administrative user accounts on the device.

Mitigation

  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.
Coordination done by CERT@VDE.