WAGO: Web Based Management - Code Execution Vulnerability

An authenticated attacker could use WBM to install software packages without root privileges.

VDE-2020-015 (2020-06-10 10:00 UTC+0200)

CVE Identifier

CVE-2020-6090

Affected Vendors

WAGO

Affected Products

The following products are affected by the listed vulnerabilities:

  • Series PFC100 (750-81xx/xxx-xxx)
  • Series PFC200 (750-82xx/xxx-xxx)
  • 762-4xxx Wago Touch Panel 600 Standard Line
  • 762-5xxx Wago Touch Panel 600 Advanced Line
  • 762-6xxx Wago Touch Panel 600 Marine Line

All FW versions are affected.

Vulnerability Type

Improper Privilege Management (CWE-269)

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates. 

An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.

 An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.

Impact

Based on the described issue, an authenticated attacker is able to install software packages with extended rights. This is an intended functionality to provide the user with a convenient way to install software on the device.

Solution

In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.

 Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2

Mitigation

  • Use strong passwords for administrative accounts on the device
  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.
Coordination done by CERT@VDE.