WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.

VDE-2021-014 (2021-05-20 17:52 UTC+0200)

Affected Vendors

WAGO

Affected Products

Article No. Affected Firmware Versions
750-823 <=FW07
750-829 <=FW14
750-831/000-00x
750-832/000-00x <=FW06
750-852 <=FW14
750-862 <=FW07
750-880/0xx-xxx <=FW15
750-881 <=FW14
750-882
750-885/0xx-xxx
750-889
750-890/0xx-xxx <=FW07
750-891
750-893
750-8202/xxx-xxx <03.06.19 (18)
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Vulnerability Type

Out-of-bounds Read (CWE - 125)

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.

PFC200 Denial of Service due to the number of connections to the runtime
CVE-2021-21000
CWE-770: Allocation of Resources Without Limits or Throttling
CVSSv3.1: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Description: With special crafted packets an attacker with network access to the device could cause a denial of service for the login service of the runtime.

PFC200 Access to files outside the home directory
CVE-2021-21001
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv3.1: 9.1 (CVSS3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Description: With special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.

The following vulnerabilities are published with reference to CODESYS Advisory 2021-06 (Security update for CODESYS Control V2 communication)

CODESYS-2021-06: Special crafted requests may cause a denial of service
CVE-2021-30186
CWE-122: Heap-based Buffer Overflow
CVSSv3.1: 5.3 (AV: A/ AC: H / PR: N / UI: N / S: U / C: N / I: N / A: H)
www.codesys.com/security/security-reports.html

CODESYS-2021-06: Special crafted requests may cause remote code execution
CVE-2021-30188
CWE-121: Stack-based Buffer Overflow
CVSSv3.1: 7.5 (AV: A/ AC: H / PR: N / UI: N / S: U / C: H / I: H / A: H)
www.codesys.com/security/security-reports.html

CODESYS-2021-06: Special crafted requests may cause a denial of service
CVE-2021-30195
CWE-20: Improper Input Validation
CVSSv3.1: 7.5 (AV: N/ AC: L / PR: N / UI: N / S: U / C: N / I: N/ A: H)
www.codesys.com/security/security-reports.html

The following vulnerabilities are published with reference to CODESYS Advisory 2021-07 (Security update for CODESYS V2 web server)

CODESYS-2021-07: Stack-based Buffer Overflow while working with wtc-files
CVE-2021-30189
CWE-121: Stack-based Buffer Overflow
CVSSv3.1: 10.0 (AV: N/ AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
www.codesys.com/security/security-reports.html


CODESYS-2021-07: Unauthorized Access to WebVisualisation Variables
CVE-2021-30190
CWE-284 Improper Access Control
CVSSv3.1: 9.1 (AV: N/ AC: L / PR: N / UI: N / S: U / C: H / I: H / A: H)
www.codesys.com/security/security-reports.html

CODESYS-2021-07: Special crafted requests can cause Buffer Overflow
CVE-2021-30191
CWE-120 Buffer Copy without Checking Size of Input
CVSSv3.1: 7.5 (AV: N/ AC: L / PR: N / UI: N / S: U / C: N / I: N / A: H)
www.codesys.com/security/security-reports.html

CODESYS-2021-07: Special crafted requests can bypass the security check
CVE-2021-30192
CWE-358: Improperly Implemented Security Check
CVSSv3.1: 7.5 (AV: N/ AC: L / PR: N / UI: N / S: U / C: N / I: N / A: H)
www.codesys.com/security/security-reports.html


CODESYS-2021-07: Special crafted requests can write to memory or execute code
CVE-2021-30193
CWE-787: Out-of-bounds Write
CVSSv3.1: 10.0 (AV: N/ AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
www.codesys.com/security/security-reports.html


CODESYS-2021-07: Special crafted requests can read out memory or crash the web server
CVE-2021-30194
CWE-125: Out-of-bounds Read
CVSSv3.1: 10.0 (AV: N/ AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
www.codesys.com/security/security-reports.html

The following vulnerabilities are published with reference to CODESYS Advisory 2021-08 (Security update for CODESYS Control V2 Linux SysFile library implementation)

CODESYS-2021-08: Code execution with SysFile system library
CVE-2021-30187
CWE-78: Improper Neutralization of Special Elements used in an OS Command
CVSSv3.1: 5.3 (AV: L/ AC: L / PR: L / UI: N / S: U / C: L / I: L/ A: L)
www.codesys.com/security/security-reports.html

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime.

Solution

WAGO recommends all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller:

Article No. Fixed Version Available
750-823 >=FW08 June 2021
750-829 >=FW15 May 2021
750-831/000-00x
750-832/000-00x >=FW08 June 2021
750-852 >=FW15 May 2021
750-862 >=FW08 June 2021
750-880/0xx-xxx >=FW16 May 2021
750-881 >=FW15 May 2021
750-882
750-885/0xx-xxx
750-889
750-890/0xx-xxx >=FW08 June 2021
750-891
750-893

Series PFC200 Controller

Article No. Fixed Patch Patch
available
Fixed
Firmware
Firmware
approx.
available
750-8202/xxx-xxx >=03.06.19 (18) May 2021 >=FW19 August 2021
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 Web-Visualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

These vulnerabilities were reported by

  • Vyacheslav Moskvin, JSC Positive Technologies
  • Anton Dorfman, JSC Positive Technologies
  • Sergey Fedonin, JSC Positive Technologies
  • Ivan Kurnakov, JSC Positive Technologies
  • Denis Goryushev, JSC Positive Technologies

Coordination done by CERT@VDE.