Share: Email | Twitter

ID

VDE-2020-006

Published

2020-03-09 10:05 (CET)

Last update

2020-04-14 13:18 (CEST)

Vendor(s)

WAGO

Product(s)

Article Name Article Number Version
Series PFC100 750-81xx/xxx-xxx All FW versions
>= FW5, <= FW14
are affected
Series PFC200 750-82xx/xxx-xxx
Touch Panel 600 Standard Line 762-4xxx
Touch Panel 600 Advanced Line 762-5xxx
Touch Panel 600 Marine Line 762-6xxx

Summary

With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134 , the password salt can also be extracted.

Vulnerabilities



Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC200 versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 version 03.00.39(12). A specially crafted ...

Weakness
Observable Discrepancy (CWE-203)
Summary

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() ...

Impact

These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.

Solution

Mitigation

  • Use strong passwords for all user accounts, especially for administrative user accounts on the device.
  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet
  • Disable unused TCP/UDP-ports

Solution

Update the devices to standard firmware 15 or later versions.

Reported by

These vulnerabilities were reported to WAGO by:

  • Daniel Szameitat, innogy SE
  • Jan Hoff, innogy SE
  • Daniel Patrick DeSantis, Cisco Talos
  • Lilith [-_-], Cisco Talos

Coordination done by CERT@VDE.