Share: Email | Twitter

ID

VDE-2021-014

Published

2021-05-20 11:08 (CEST)

Last update

2021-07-07 13:02 (CEST)

Vendor(s)

WAGO

Product(s)

Article No. Affected Firmware Versions
750-823 <=FW07
750-829 <=FW14
750-831/000-00x
750-832/000-00x <=FW06
750-852 <=FW14
750-862 <=FW07
750-880/0xx-xxx <=FW15
750-881 <=FW14
750-882
750-885/0xx-xxx
750-889
750-890/0xx-xxx <=FW07
750-891
750-893
750-8202/xxx-xxx <03.06.19 (18)
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.

Vulnerabilities



Weakness
Out-of-bounds Write ( CWE-787 )
Summary
CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.
Weakness
Incorrect Authorization ( CWE-863 )
Summary
CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.
Weakness
Out-of-bounds Write ( CWE-787 )
Summary
CODESYS V2 Web-Server before 1.1.9.20 has a Stack-based Buffer Overflow.
Weakness
Out-of-bounds Write ( CWE-787 )
Summary
CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Write.
Weakness
Exposure of Resource to Wrong Sphere ( CWE-668 )
Summary
CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control.
Weakness
Out-of-bounds Read ( CWE-125 )
Summary
CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Read.
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ( CWE-120 )
Summary
CODESYS V2 Web-Server before 1.1.9.20 has a a Buffer Copy without Checking the Size of the Input.
Weakness
Allocation of Resources Without Limits or Throttling ( CWE-770 )
Summary
On WAGO PFC200 devices in different firmware versions with special crafted packets an attacker with network access to the device could cause a denial of service for the login service ...
Weakness
Out-of-bounds Write ( CWE-787 )
Summary
CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.
Weakness
Out-of-bounds Read ( CWE-125 )
Summary
CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ( CWE-22 )
Summary
On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ( CWE-78 )
Summary
CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime.

Solution

WAGO recommends all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller:

Article No. Fixed Version Available
750-823 >=FW08 June 2021
750-829 >=FW15 May 2021
750-831/000-00x
750-832/000-00x >=FW08 June 2021
750-852 >=FW15 May 2021
750-862 >=FW08 June 2021
750-880/0xx-xxx >=FW16 May 2021
750-881 >=FW15 May 2021
750-882
750-885/0xx-xxx
750-889
750-890/0xx-xxx >=FW08 June 2021
750-891
750-893

Series PFC200 Controller

Article No. Fixed Patch Patch
available
Fixed
Firmware
Firmware
approx.
available
750-8202/xxx-xxx >=03.06.19 (18) May 2021 >=FW19 August 2021
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 Web-Visualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

These vulnerabilities were reported by

  • Vyacheslav Moskvin, JSC Positive Technologies
  • Anton Dorfman, JSC Positive Technologies
  • Sergey Fedonin, JSC Positive Technologies
  • Ivan Kurnakov, JSC Positive Technologies
  • Denis Goryushev, JSC Positive Technologies

Coordination done by CERT@VDE.