Share: Email | Twitter

ID

VDE-2020-020

Published

2020-06-10 10:00 (CEST)

Last update

2020-06-10 10:00 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-81xx/xxx-xxx (PFC100) < FW16
750-82xx/xxx-xxx (PFC200) < FW16

Summary

WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.

The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.


Weakness

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')  (CWE-120) 

Summary

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.


Impact

By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. IOActive Security Advisory 

Solution

If pppd daemon is activated, update the device to firmware 16 or higher.

Reported by

This vulnerability was reported by BSI via CERT@VDE to WAGO.