WAGO: Multiple Vulnerabilities in I/O-Check Service

Multiple vulnerabilities in the WAGO I/O-Check Service were reported.

VDE-2020-036 (2021-06-29 12:00 UTC+0200)

Affected Vendors

WAGO

Affected Products

All FW versions <= FW18 Patch 2 of the following products are affected:

  • Series PFC100 (750-81xx/xxx-xxx)
  • Series PFC200 (750-82xx/xxx-xxx)
  • Series Wago Edge Controller 752-8303/8000-0002
  • Series Wago Touch Panel 600 Standard Line (762-4xxx)
  • Series Wago Touch Panel 600 Advanced Line (762-5xxx)
  • Series Wago Touch Panel 600 Marine Line (762-6xxx)

Summary

WAGO PFC iocheckd service "I/O-Check" – Shared Memory Buffer Overflow
CWE-120: Shared Memory Overflow
CVE-2021-34566
CVSSv3 Score: 9.1
CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Description: An attacker can send a specially crafted packet containing OS commands to crash the iocheck process and write memory.

WAGO PFC iocheckd service "I/O-Check" – Out-of-bounds Read
CWE-125: Out-of-bounds Read
CVE-2021-34567
CVSSv3 Score: 8.2
CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Description: An attacker can send a specially crafted packet containing OS commands to provoke a denial of service and an out-of-bounds read.

WAGO PFC iocheckd service "I/O-Check" – Allocation of Resources Without Limits
CWE-770: Allocation of Resources Without Limits or Throttling
CVE-2021-34568
CVSSv3 Score: 7.5
CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description: An attacker can send a specially crafted packet containing OS commands to provoke a denial of service.

WAGO PFC diagnostic tools – Out-of-bounds Write
CWE-787: Out-of-bounds Write
CVE-2021-34569
CVSSv3 Score: 10.0
CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: An attacker can send a specially crafted packet containing OS commands to crash the diagnostic tool and write memory.

Impact

By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device.

Solution

Solution

The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.
Regardless to the action described above, the vulnerability has been fixed in FW18 Patch 3, released in June 2021.
We recommend all affected users to update to the latest firmware version.

Mitigation

  • Disable I/O-Check service
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Reported by

These vulnerabilities were reported to WAGO by Uri Katz of Claroty. We thank CERT@VDE for the management of this coordinated disclosure.