| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 750-352 | <= FW13 | |
| 750-362 | <= FW03 | |
| 750-363 | <= FW03 | |
| 750-823 | <= FW03 | |
| 750-831/xxx-xxx | <= FW13 | |
| 750-832/xxx-xxx | <= FW03 | |
| 750-852 | <= FW13 | |
| 750-862 | <= FW03 | |
| 750-880/xxx-xxx | <= FW13 | |
| 750-881 | <= FW13 | |
| 750-889 | <= FW13 | |
| 750-890/xxx-xxx | <= FW03 | |
| 750-891 | <= FW03 |
The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The SNMP configuration page of the device is vulnerable for a persistent XSS (Cross-Site Scripting) attack.
WAGO 750-88X and WAGO 750-89X Ethernet Controller devices, versions 01.09.18(13) and before, have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi SNMP_DESC or SNMP_LOC_SNMP_CONT field.
An attacker needs an authorized login on the device in order to exploit the snmp configuration website with malicious scripts. This can be used to install malicious code and to gain access to confidential information.
Remediation
Update the devices to the following versions:
| Product | Fixed Versions |
| 750-362 | >= FW05 |
| 750-363 | >= FW05 |
| 750-823 | >= FW05 |
| 750-832/xxx-xxx | >= FW05 |
| 750-862 | >= FW05 |
| 750-891 | >= FW05 |
| 750-890/xxx-xxx | >= FW05 |
| 750-352 | >= FW14 |
| 750-831/xxx-xxx | >= FW14 |
| 750-852 | >= FW14 |
| 750-880/xxx-xxx | >= FW14 |
| 750-881 | >= FW14 |
| 750-889 | >= FW14 |
Mitigation
• Restrict network access to the device.
• Use strong passwords
• Do not directly connect the device to the internet
• Disable unused TCP/UDP-ports
Secuninja reported this vulnerability to WAGO.
CERT@VDE coordinated.