Security researchers at ESET have reported a vulnerability called Kr00k (CVE-2019- 15126) which affects encrypted WiFi traffic for devices using Broadcom or Cypress chipsets. The vulnerability may allow an attacker to decrypt some WPA2- Personal/Enterprise traffic by forcing an AP/client to start utilizing an all-zero encryption key (similar to KRACK vulnerability).
If the software runs as a service, a user with limited access can gain administrator privileges by starting a shell with administrator rights from the Import / Export configuration dialog.
The Phoenix Contact application ‘PC WORX SRT’ is installed as service. The installation path of the application is configured to have insecure permissions which allows any unprivileged user to write arbitrary files to the installation directory where all the configuration files and binaries of the service are located.
The coupler’s function could be inhibited by an attack.
An attacker needs an authorized login on the device in order to exploit the herein mentioned vulnerabilities.
The reported vulnerabilities allow a local attacker with valid login credentials who is able to create files on the device to change the devices settings, e.g. default gateway address, time server etc. and potentially execute code.
An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.
The weakness allows an attacker which has admin privileges on the device to redirect to his own Azure cloud account and install malicious software with the firmware update functionality.
The firmware update package (WUP) is not signed entirely. The used password offers no additional security, it is just meant to protect from unintentional modifications of the WUP file. Thus only the integrity of the signed firmware part (rauc file) is protected against intended manipulation. An attacker could manipulate the WUP file in a way that additional files with potentially malicious content are added to the WUP file.
In case an authorized user that issues a firmware update could be tricked into installing this manipulated WUP file onto the device, the potentially malicious files would also be copied and installed on to the device and executed with elevated privileges.
The Cloud Connectivity of the WAGO PLCs is used to connect the device with the cloud services from different providers. It also supports maintenance functionality with the firmware update function from the WAGO cloud.
An attacker needs an authorized login with administrative privileges on the device in order to exploit the mentioned vulnerabilities.