WAGO: Multiple Vulnerabilities in I/O-Check Service

VDE-2020-011 (2020-03-09 10:30 UTC+0100)

Affected Vendors

WAGO

Affected Products

Article Name Article Number Version
Series PFC100 750-81xx/xxx-xxx All FW versions
< FW16 are affected.
FW16 is expected to be released in Q2/2020.
Series PFC200 750-82xx/xxx-xxx
Touch Panel 600 Standard Line 762-4xxx
Touch Panel 600 Advanced Line 762-5xxx
Touch Panel 600 Marine Line 762-6xxx

Vulnerability Type

Buffer Copy without Checking Size of Input/Classic Buffer Overflow (CWE-120)

Summary

An attacker needs an authorized login on the device in order to exploit the herein mentioned vulnerabilities.

The reported vulnerabilities allow a local attacker with valid login credentials who is able to create files on the device to change the devices settings, e.g. default gateway address, time server etc. and potentially execute code.

WAGO iocheckd service "I/O-Check" cache DNS code execution vulnerability
CVE-2019-5166
CWE-ID: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Base Score: 8.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

WAGO iocheckd service "I/O-Check" cache Multiple Command Injection Vulnerabilities
CVE-2019-5167, CVE-2019-5168, CVE-2019-5169, CVE-2019-5170, CVE-2019-5171, CVE- 2019-5172, CVE-2019-5173, CVE-2019-5174, CVE-2019-5175
CWE-ID: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Base Score: 8.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
A specially crafted xml cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

WAGO iocheckd service "I/O-Check" cache Multiple Code Execution Vulnerabilities
CVE-2019-5176, CVE-2019-5177, CVE-2019-5178, CVE-2019-5179, CVE-2019-5180, CVE- 2019-5181, CVE-2019-5182
CWE-ID: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Base Score: 8.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

WAGO iocheckd service "I/O-Check" cache gateway Memory Corruption Vulnerability
CVE-2019-5184
CWE-ID: CWE-415: Double Free
Base Score: 7.0
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
A specially crafted xml cache file written to a specific location on the device can cause a heap pointer to be freed twice, resulting in a denial of service and potentially code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

WAGO iocheckd service "I/O-Check" cache multiple code execution vulnerabilities
CVE-2019-5185, CVE-2019-5186
CWE-ID: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Base Score: 7.0
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact

By exploiting the described vulnerabilities the attacker potentially is able manipulate or disrupt the device.

Solution

The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.

Mitigation

  • Disable I/O-Check service
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.
  • Disable unused TCP/UDP-ports

Reported by

This vulnerability was reported by Kelly Leuschner of Cisco Talos to WAGO coordinated by CERT@VDE.