WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X

VDE-2020-029 (2020-09-30 13:11 UTC+0200)

CVE Identifier

CVE-2018-16210

Affected Vendors

WAGO

Affected Products

Product Affected Versions
750-362 <= FW03
750-363 <= FW03
750-823 <= FW03
750-832/xxx-xxx <= FW03
750-862 <= FW03
750-891 <= FW03
750-890/xxx-xxx <= FW03
750-352 <= FW13
750-831/xxx-xxx <= FW13
750-852 <= FW13
750-880/xxx-xxx <= FW13
750-881 <= FW13
750-889 <= FW13

Vulnerability Type

Improper Neutralization of Input During Web Page Generation (CWE-79)

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The SNMP configuration page of the device is vulnerable for a persistent XSS (Cross-Site Scripting) attack (CVE-2018-16210).

Impact

An attacker needs an authorized login on the device in order to exploit the snmp configuration website with malicious scripts. This can be used to install malicious code and to gain access to confidential information.

Solution

Remediation

Update the devices to the following versions:

Product Fixed Versions
750-362 >= FW05
750-363 >= FW05
750-823 >= FW05
750-832/xxx-xxx >= FW05
750-862 >= FW05
750-891 >= FW05
750-890/xxx-xxx >= FW05
750-352 >= FW14
750-831/xxx-xxx >= FW14
750-852 >= FW14
750-880/xxx-xxx >= FW14
750-881 >= FW14
750-889 >= FW14

Mitigation

• Restrict network access to the device.
• Use strong passwords
• Do not directly connect the device to the internet
• Disable unused TCP/UDP-ports

Reported by

Secuninja ( https://www.secu.ninja ) reported this vulnerability to WAGO.

CERT@VDE coordinated.