WAGO: e!Cockpit Two Update Package Vulnerabilities

WAGO Update Package (WUP) in e!Cockpit is prone to two vulnerabilities.

VDE-2020-009 (2020-03-09 11:18 UTC+0200)

Affected Vendors

WAGO

Affected Products

Article Name Article Number Version
Series PFC100 750-81xx/xxx-xxx All FW versions
=> 12 are affected
Series PFC200 750-82xx/xxx-xxx
Touch Panel 600 Standard Line 762-4xxx
Touch Panel 600 Advanced Line 762-5xxx
Touch Panel 600 Marine Line 762-6xxx

Vulnerability Type

Improper Input Validation (CWE-20)

Summary

The firmware update package (WUP) is not signed entirely. The used password offers no additional security, it is just meant to protect from unintentional modifications of the WUP file. Thus only the integrity of the signed firmware part (rauc file) is protected against intended manipulation. An attacker could manipulate the WUP file in a way that additional files with potentially malicious content are added to the WUP file.
In case an authorized user that issues a firmware update could be tricked into installing this manipulated WUP file onto the device, the potentially malicious files would also be copied and installed on to the device and executed with elevated privileges.

WAGO e!COCKPIT File Path Improper Input Validation Vulnerability
CVE-2019-5159
CWE-73: External Control of File Name Path
Base Score: 8.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers as a part of executing a firmware update, potentially resulting in code execution. An attacker can create a malicious firmware update file. An authorized user must initiate a firmware update through e!COCKPIT and choose the malicious file using the file browser to trigger the vulnerability.

WAGO e!COCKPIT Firmware Downgrade Vulnerability
CVE-2019-5158
CWE-20: Improper Input Validation
Base Score: 8.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
By exploiting CWE-73, specially crafted firmware update file can allow an attacker install an older firmware version while the user thinks a newer firmware version is being installed. An attacker can create a custom firmware update package with invalid metadata in order to trigger this vulnerability.

Impact

The vulnerabilities allow an attacker who is able to exploit the described vulnerabilities and to trick an authorized user into installing the manipulated WUP file on the controller, to manipulate, to add or to remove any files they choose to from the corresponding device. Potentially malicious files may be executed.

Solution

Validate the integrity of the WUP update package by verifying the hash of the file before starting FW update.

Hash Type Hash
WAGO_FW0750-8xxx_V030035_IX12_r37384.wup
SHA512 09 b8 cf e6 75 b9 3a e1 8b 78 55 3c dc 3e ee 12 64 92 5a 94 1a 18 bc 58 8a e2 c4 f3 5f e0 7c 56 31 dd ed b4 3d 8a 9e a9 fb 10 88 ab 8b 46 cb 9b 6f 6d 4f 00 fe 22 5f c3 77 be 1e d9 e6 42 d2 b9
SHA384 7b 18 8a 67 cd f9 83 50 d8 40 69 4d 46 e2 d4 6c c1 f7 52 f4 d1 4b f4 b6 59 88 fa 63 93 b7 cc 69 72 61 7c 3c 58 98 1e b6 01 5f e4 7e cd 64 3a 70
SHA256 02 ae 13 4f 25 5c 3a 3e 1c b6 5b b2 35 64 9c 49 b4 35 cf c0 23 c7 2b 42 81 a9 6e 1c e4 2e d1 ca
-----
WAGO_FW0750-8xxx_V030039_IX12_r38974.wup (Patch1)
SHA512 db 84 7f 96 f1 83 3e 22 58 5e 48 5b 5f cf 80 83 5c 49 16 a0 01 b6 d0 15 4e 3d 70 1a 25 e1 18 01 ff 7c 44 20 bd 3d 14 73 11 c9 58 58 7e 91 d4 66 cc ca ab 47 54 e2 11 6b c2 69 96 f9 ac a7 c9 43
SHA384 b5 78 b1 f9 bb 4b 5e e3 5d 80 7c c4 de 0a 48 dc c9 de ca 50 d4 d8 d1 da 93 71 a9 dd 64 6b 84 63 2b 36 4e bf 58 29 8b a2 70 39 c8 5d ba a1 4d b1
SHA256 c7 a2 a3 26 7c b3 e6 3c a7 5c c4 81 89 67 0b 3a 88 ed a2 80 43 a6 62 c1 8364 8ca2 2488 2d72
-----
WAGO_FW0750-8xxx_V030107_IX13_r40667.wup
SHA512 95 58 b8 6e c4 1e 76 16 af 4a de 37 af fe ac c6 7a ae f3 fc a5 bb 43 5a af 4a ad d2 99 15 dc 04 de 48 48 67 a9 f6 0b 02 5d 71 a7 ec 22 ae bb f1 ba 63 40 f9 16 9a 2f b4 c7 43 e4 93 63 5e 67 96
SHA384 06 fb 68 51 b5 cb d4 32 22 25 b9 e1 9e 86 c0 6a ab e6 fe 7e c1 6d 9d b3 31 7e 10 f5 af 7c ce 3b 79 e5 ed ac 85 b2 5c 8d 76 6e 7c de 1c cc 35 55
SHA256 14 53 51 4d f8 8b af 17 46 af 45 1d 1b 7a 6f 32 1f c5 e4 c8 4f e1 c6 76 d8 8ea5 2ea6 68d510
-----
WAGO_FW0750-8xxx_V030202_IX14_r42026.wup
SHA512 8c 2f a6 42 dc 92 6e 68 e6 8f ac bb d6 68 73 88 a7 5a 73 cd cd e8 fe f6 0e 30 45 7f 80 51 30 ab 58 3b c3 f0 ce af 63 f6 87 71 4a f4 64 5a 3c 64 39 d4 d2 da 78 25 8c f3 db 84 28 60 32 61 b4 76
SHA384 d8 0d 61 18 29 51 e0 bb f3 ee 9b 6a 11 1c fa 31 6b 1a e2 8c 74 91 fb cd 91 3d f4 32 df 27 92 76 e1 c1 09 09 71 51 21 59 0e 58 64 7e 2c cf 39 1f
SHA256 de d3 15 47 78 a4 f0 9e 67 69 68 fa c5 5c e1 74 70 94 0b 50 00 98 3e ff 84 88 c3 c9 29 86 d7 d5
-----
WAGO_FW0750-8xxx_V030310_IX15_r45240.wup
SHA512 b0 fc f7 93 e8 59 73 85 b5 5b 82 b3 ac 4f 31 2f d5 91 11 39 0d b1 ee b4 75 3e b7 a7 27 a8 2d 7b fd 0a 04 64 67 05 1c b5 0a 3f c4 5a 2d 60 01 52 0c 25 6b 91 e7 324b 2eab 31e7d0 b142 6057
SHA384 2e bd b9 ef 7b 12 ba 50 76 f8 c9 8e 5f 8d 3a f4 96 0a ad dd 16 09 2d 3f b4 2e 4c ac ff 30 d9 8b 84 ef 9a 24 71 7a 34 bc 60 d4 ab 45 a8 cb 73 e7
SHA256 cf bc 4a b7 27 4b 2d d1 e4 0c 38 ef e2 ae 3f 66 41 48 2b 8b f7 77 5e 7b a1 4791 ae04 fe9705

Mitigation

Execute FW-Update only as user „admin“.

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.

Coordination done by CERT@VDE.