WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597

WAGO PLCs pppd is vulnerable to CVE-2020-8597 in case the daemon has been activated.

VDE-2020-020 (2020-06-10 10:00 UTC+0200)

CVE Identifier

CVE-2020-8597

Affected Vendors

WAGO

Affected Products

Series PFC100 (750-81xx/xxx-xxx) firmware version < FW16
Series PFC200 (750-82xx/xxx-xxx) firmware version < FW16

Vulnerability Type

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)

Summary

WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.

The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.

Impact

By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. IOActive Security Advisory 

Solution

If pppd daemon is activated, update the device to firmware 16 or higher.

Mitigation

  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device
  • Do not directly connect the device to the internet

Reported by

This vulnerability was reported by BSI via CERT@VDE to WAGO.