WAGO Multiple Vulnerabilities in I/O-Check Service in Multiple Devices

The reported vulnerabilities allow a remote attacker to change the setting, delete the application, set the device to factory defaults, code execution and to cause a system crash or denial of service.

VDE-2019-022 (2019-12-16 11:00 UTC+0200)

CVE Identifier

CVE-2019-5082

Affected Vendors

WAGO

Affected Products

The following products are affected by the listed vulnerabilities:

  • Series PFC100 (750-81xx/xxx-xxx)
  • Series PFC200 (750-82xx/xxx-xxx)

The following products are affected by the vulnerability "Missing Authentication for Critical Function(CWE-306)"

  • 750-852, 750-831/xxx-xxx, 750-881, 750-880/xxx-xxx, 750-889
  • 750-823, 750-832/xxx-xxx, 750-862, 750-890/xxx-xxx, 750-891

Vulnerability Type

Buffer Copy without Checking Size of Input (CWE-120)

Summary

The reported vulnerabilities allow a remote attacker to change the setting, delete the application, set the device to factory defaults, code execution and to cause a system crash or denial of service.

CVE-2019-5073 CWE-201: Information Exposure Through Sent Data
CVSSv3 Score 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
-----
CVE-2019-5074 CWE-805: Buffer Access with Incorrect Length Value
CVSSv3 Score 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-----
CVE-2019-5075 CWE-805: Buffer Access with Incorrect Length Value
CVSSv3 Score 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-----
CVE-2019-5077 CWE-306: Missing Authentication for Critical Function
CVSSv3 Score 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
-----
CVE-2019-5078 CWE-306: Missing Authentication for Critical Function
CVSSv3 Score 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
-----
CVE-2019-5079 CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSSv3 Score 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
-----
CVE-2019-5080 CWE-306: Missing Authentication for Critical Function
CVSSv3 Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
-----
CVE-2019-5081 CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSSv3 Score 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
-----
CVE-2019-5082 CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSSv3 Score 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

Impact

These vulnerabilities allow an attacker to manipulate the settings or disturb the basic function of the device via specially crafted IP packets. This can be potentially used to get control of the device.

Solution

The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the IP-port 6626 after commissioning. This is the easiest and securest way to protect your device for the listed vulnerabilities and for upcoming zero day exploits.

Regardless of the action described above, the following CVEs can be fixed alternatively by a firmware update >= FW 15.

CVE-2019-5073
CVE-2019-5074
CVE-2019-5075
CVE-2019-5079
CVE-2019-5081
CVE-2019-5082

Mitigation

  • Restrict network access to the device.
  • Do not directly connect the device to the internet.
  • Disable unused TCP/UDP-ports

Reported by

This vulnerability was reported by Kelly Leuschner of Cisco Talos to WAGO coordinated by CERT@VDE.