WAGO Multiple Vulnerabilities in industrial managed switches

Multiple vulnerabilities have been identified in WAGO 852-303, 852-1305 and 852-1505 industrial managed ethernet switches.

VDE-2019-013 (2019-06-12 13:25 UTC+0200)

Affected Vendors

WAGO

Affected Products

852-303 <V1.2.2.S0
852-1305 <V1.1.6.S0
852-1505 <V1.1.5.S0

Vulnerability Type

Use of Hard-coded Credentials (CWE-798)

Summary

Multiple vulnerabilities have been identified in WAGO 852-303, 852-1305 and 852-1505 industrial managed ethernet switches.

Impact

Vulnerabilities (sorted by severity)

Title: Hardcoded Users And Passwords
CVE-ID: CVE-2019-12550
CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vulnerability Type: 
CWE-798 Use of Hard-coded Credentials

Description
The reported vulnerability allows a remote attacker to manipulate the operating system of the managed switch.

Impact
By exploiting the hardcoded credentials, it is possible to have access to the operating system of the managed switch with root privileges. This can be potentially used to tamper with the switch, delete applications or implant malicious code.

Solution
Update your managed switch to the latest firmware:
852-303 (>= V1.2.2.S0)
852-1305 (>= V1.1.6.S0)
852-1505 (>= V1.1.5.S0)
Firmwares published on Jun 7, 2019 or later are fixed.

Mitigation
- Restrict network access to the switch
- Restrict network access to the SSH server.
- Do not directly connect the device to the internet.

Title: Hardcoded Private Keys For The SSH Daemon
CVE-ID: CVE-2019-12549
CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vulnerability Type: CWE-321 Use of Hard-coded Cryptographic Key

Description
The reported vulnerability allows a remote attacker to compromise the managed switch.

Impact
By exploiting the hardcoded SSH key, it is possible to disrupt communication or compromise the managed switch. Because these SSH-keys cannot be regenerated by users, all switches use the same key.

Solution
Update your managed switch to the latest firmware:
852-303 (>= V1.2.2.S0)
852-1305 (>= V1.1.6.S0)
852-1505 (>= V1.1.5.S0)
Firmwares published on Jun 7, 2019 or later are fixed.
Please refer to the corresponding manual. 

Mitigation
- Restrict network access to the SSH server.
- Restrict network access to the switch.
- Do not directly connect the device to the internet.

Title: Outdated Third-Party Components
CVE-IDs:
BusyBox 1.12.0
CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147, CVE-2017-16544 etc.
GNU glibc 2.8
CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-14 etc.

Description
The listed managed switches used outdated third-party components with known vulnerabilities.

Solution
Update your managed switch to the latest firmware:
852-303 (>= V1.2.2.S0)
852-1305 (>= V1.1.6.S0)
852-1505 (>= V1.1.5.S0)
Firmwares published on Jun 7, 2019 or later are fixed.

Mitigation
- Restrict network access to the switch.
- Do not directly connect the device to the internet.

Solution

Update your managed switch to the latest firmware:
852-303 (>= V1.2.2.S0)
852-1305 (>= V1.1.6.S0)
852-1505 (>= V1.1.5.S0)
Firmwares published on Jun 7, 2019 or later are fixed.
Please refer to the corresponding manual. 

Reported by

These vulnerabilities were reported by T. Weber / SEC Consult Vulnerability Lab to CERT@VDE.