Share: Email | Twitter

ID

VDE-2022-009

Published

2022-04-06 09:30 (CEST)

Last update

2022-04-06 09:30 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-81xx/xxx-xxx 03.07.14(19) <= 03.07.18(19)
750-81xx/xxx-xxx 03.08.07(20) <= 03.08.08(20)
750-8217/xxx-xxx 03.07.14(19) <= 03.07.18(19)
750-8217/xxx-xxx 03.08.07(20) <= 03.08.08(20)
750-82xx/xxx-xxx 03.07.14(19) <= 03.07.18(19)
750-82xx/xxx-xxx 03.08.07(20) <= 03.08.08(20)
751-9301 03.07.14(19) <= 03.08.08(20)
752-8303/8000-002 03.07.14(19) <= 03.07.18(19)
762-4xxx 03.07.14(19) <= 03.07.18(19)
762-5xxx 03.07.14(19) <= 03.07.18(19)
762-6xxx 03.07.14(19) <= 03.07.18(19)

Summary

The Linux kernel starting from 5.8 has a flaw which can lead to privilege escalation for a local user. The kernel is used in several Versions of the FW of several WAGO products. All vulnerable PLCs are listed in chapter ‘Affected Products’.


Weakness

Improper Preservation of Permissions  (CWE-281) 

Summary

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.


Impact

An unprivileged user can use the “pipe” functionality in the Linux kernel to write to read only files. This can lead to privilege escalation, because in this way unprivileged processes can inject code into root processes.

For a detailed description of the vulnerability see https://dirtypipe.cm4all.com/

Solution

Mitigation

  • Restrict network access to the device.
  • Use strong passwords
  • Do not directly connect the device to the internet
  • Disable unused TCP/UDP-ports

Remediation

We recommend all effected users to update to the firmware version listed below.

Series WAGO PFC100/PFC200 and WAGO Compact Controller CC100

Product Fixed in Firmware Version
750-81xx/xxx-xxx >= 03.09.04(21)
750-8217/xxx-xxx >= 03.09.05(21)
750-82xx/xxx-xxx >= 03.09.04(21)
751-9301 >= 03.09.04(21)

Series WAGO Touch Panel 600 and WAGO Edge Controller

Product Fixed in Firmware Version
762-4xxx >= 03.07.19(19)
762-5xxx >= 03.07.19(19)
762-6xxx >= 03.07.19(19)
752-8303/8000-002 >= 03.07.19(19)

Reported by

Coordination done by CERT@VDE.