The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.
The password used by e!Cockpit for authentication against the PLC is encrypted with a hard- coded key. An attacker is able to decrypt the password by listening to the network traffic.
A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 188.8.131.52. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.
A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 184.108.40.206. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.
The vulnerabilities allow an attacker which has access to the network communication between e!Cockpit and the PLC to listen, manipulate, or drop any information they choose from the corresponding communication.
Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends to disable the TCP Port 11740 and UDP Port 1740 after commissioning or to use an encrypted VPN connection to the device.
These vulnerabilities were reported by Nico Jansen of FH Aachen and Carl Hurd of Cisco Talos to WAGO.
Coordination done by CERT@VDE.