WAGO Series PFC100/PFC200 Information Disclosure

The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations.

VDE-2019-017 (2019-09-18 13:25 UTC+0100)

CVE Identifier

CVE-2019-18202

Affected Vendors

WAGO

Affected Products

Series PFC100 (750-81xx/xxx-xxx) <FW12
Series PFC200 (750-82xx/xxx-xxx) <FW12

Vulnerability Type

External Control of File Name or Path (CWE-73)

Summary

The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations.

Update, 18.9.2019, 18:30

  • fixed typo in modelname, replaced PCF with PFC

Impact

The vulnerability allows an attacker to check the existence of files via specially crafted HTTP requests. This can be potentially used to identify installed software and leak of sensitive data (e.g. session data stored in the file system).

Solution

Update your device to the latest firmware (>= FW 12).

Mitigation

  • Restrict network access to the web server.
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Reported by

This vulnerability was reported by Nico Jansen (Fachhochschule Aachen) to WAGO coordinated by CERT@VDE.