WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X
VDE-2020-029 (2020-09-30 12:10 UTC+0100)
CVE Identifier
CVE-2018-16210Affected Vendors
WAGO
Affected Products
Product | Affected Versions |
750-362 | <= FW03 |
750-363 | <= FW03 |
750-823 | <= FW03 |
750-832/xxx-xxx | <= FW03 |
750-862 | <= FW03 |
750-891 | <= FW03 |
750-890/xxx-xxx | <= FW03 |
750-352 | <= FW13 |
750-831/xxx-xxx | <= FW13 |
750-852 | <= FW13 |
750-880/xxx-xxx | <= FW13 |
750-881 | <= FW13 |
750-889 | <= FW13 |
Vulnerability Type
Improper Neutralization of Input During Web Page Generation (CWE-79)
Summary
The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The SNMP configuration page of the device is vulnerable for a persistent XSS (Cross-Site Scripting) attack (CVE-2018-16210).
Impact
An attacker needs an authorized login on the device in order to exploit the snmp configuration website with malicious scripts. This can be used to install malicious code and to gain access to confidential information.
Solution
Remediation
Update the devices to the following versions:
Product | Fixed Versions |
750-362 | >= FW05 |
750-363 | >= FW05 |
750-823 | >= FW05 |
750-832/xxx-xxx | >= FW05 |
750-862 | >= FW05 |
750-891 | >= FW05 |
750-890/xxx-xxx | >= FW05 |
750-352 | >= FW14 |
750-831/xxx-xxx | >= FW14 |
750-852 | >= FW14 |
750-880/xxx-xxx | >= FW14 |
750-881 | >= FW14 |
750-889 | >= FW14 |
Mitigation
• Restrict network access to the device.
• Use strong passwords
• Do not directly connect the device to the internet
• Disable unused TCP/UDP-ports
Reported by
Secuninja ( https://www.secu.ninja ) reported this vulnerability to WAGO.
CERT@VDE coordinated.