Share: Email | Twitter

ID

VDE-2020-011

Published

2020-03-09 10:30 (CET)

Last update

2020-03-09 10:30 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-81xx/xxx-xxx (PFC100) < FW16
750-82xx/xxx-xxx (PFC200) < FW16
762-4xxx < FW16
762-5xxx < FW16
762-6xxx < FW16

Summary

An attacker needs an authorized login on the device in order to exploit the herein mentioned vulnerabilities.

The reported vulnerabilities allow a local attacker with valid login credentials who is able to create files on the device to change the devices settings, e.g. default gateway address, time server etc. and potentially execute code.

Vulnerabilities



Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to ...

Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

An exploitable stack buffer overflow vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location ...

Weakness
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). At 0x1e3f0 the extracted dns value from the xml file is ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location ...

Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific ...

Weakness
Double Free (CWE-415)
Summary

An exploitable double free vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to ...

Weakness
Out-of-bounds Write (CWE-787)
Summary
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to ...
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing ...

Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to ...

Weakness
Out-of-bounds Write (CWE-787)
Summary

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 Firmware version 03.02.02(14). The destination buffer sp+0x440 is overflowed with the call ...

Impact

By exploiting the described vulnerabilities the attacker potentially is able manipulate or disrupt the device.

Solution

Mitigation

Disable I/O-Check service
Restrict network access to the device.
Do not directly connect the device to the internet.
Disable unused TCP/UDP-ports

Solution

The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.

Reported by

This vulnerability was reported by Kelly Leuschner of Cisco Talos to WAGO coordinated by CERT@VDE.