WAGO: Authentication Bypass Vulnerability in WAGO 750-36X and WAGO 750-8XX Versions <= FW03
VDE-2020-028 (2020-09-30 12:08 UTC+0100)
CVE Identifier
CVE-2020-12506Affected Vendors
WAGO
Affected Products
| Product | Affected Versions |
| 750-362 | <= FW03 |
| 750-363 | <= FW03 |
| 750-823 | <= FW03 |
| 750-832/xxx-xxx | <= FW03 |
| 750-862 | <= FW03 |
| 750-891 | <= FW03 |
| 750-890/xxx-xxx | <= FW03 |
Vulnerability Type
Improper Authentication and Acess Control (CWE-287)
Summary
The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to change some special parameters without authentication.
Impact
This vulnerability allows an attacker who has access to the WBM and knowledge about the directory structure from the WBM to change the parameter setting of the devices by sending specifically constructed requests without authentication.
This can lead to malfunction of the application after reboot.
Solution
| Product | Fixed Versions |
| 750-362 | > FW03 |
| 750-363 | > FW03 |
| 750-823 | > FW03 |
| 750-832/xxx-xxx | > FW03 |
| 750-862 | > FW03 |
| 750-891 | > FW03 |
| 750-890/xxx-xxx | > FW03 |
Mitigation
- Restrict network access to the device.
- Do not directly connect the device to the internet.
- Disable unused TCP/UDP ports.
- Disable web-based management ports 80/443 after the configuration phase
Reported by
Maxim Rupp (https://rupp.it) reported this vulnerability to WAGO.
CERT@VDE coordinated.
