WAGO: Multiple Vulnerabilities in the Web-Based Management

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates. The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.

VDE-2021-013 (2021-05-05 17:04 UTC+0200)

Affected Vendors

WAGO

Affected Products

Item number affected FW
0852-0303 <=V1.2.3.S0
0852-1305 <=V1.1.7.S0
0852-1505 <=V1.1.6.S0
0852-1305/000-001 <=V1.0.4.S0
0852-1505/000-001 <=V1.0.4.S0

Summary

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials. 

WAGO Managed Switch: Directory Listing
CVE-2021-20993
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSSv3.1 Score: 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Directory Listing activated in the web server of the administration interface of the WAGO Ethernet Switches provides an attacker with the index of the resources located inside the directory.

WAGO Managed Switch: Refelected Cross-site Scripting
CVE-2021-20994
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv3.1 Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
*UPDATE 11.05.21: clarification of the following sentence*
An attacker has to trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.

WAGO Managed Switch: Storage of user credentials in a cookie
CVE-2021-20995
CWE-312: Cleartext Storage of Sensitive Information
CVSSv3.1 Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The webserver cookies contains user credentials.

WAGO Managed Switch: Unsecure Cookie settings
CVE-2021-20996
CWE-732: Incorrect Permission Assignment for Critical Resource
CVSSv3.1 Score: 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
With special crafted requests webserver cookies can be transfered to third parties.

WAGO Managed Switch: Unauthorized access to password hashes
CVE-2021-20997
CWE-522: Insufficiently Protected Credentials
CVSSv3.1 Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
It is possible to read out the password hashes of all Web-based Management users

WAGO Managed Switch: Unauthorized creation of user accounts
CVE-2021-20998
CWE-306: Missing Authentication for Critical Function
CVSSv3.1 Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Without authorization and with specially crafted packets it is possible to create users.

Impact

By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or to disrupt the device.

Solution

The Web-Based Management is only needed during installation and commissioning, not during normal operations. It is recommended to disable the web server after commissioning. The Command Line Interface (CLI) is an alternative for commissioning the device. This is the easiest and securest way to protect your device from the listed vulnerabilities.

Regardless of the action described above, the vulnerabilities are fixed with following firmware releases.

Item number FW version
0852-0303 (HW < 3)* V1.2.5.S0
0852-0303 (HW >=3)* V1.2.3.S1
0852-1305 V1.1.8.S0
0852-1505 V1.1.7.S0
0852-1305/000-001 V1.1.4.S0
0852-1505/000-001 V1.1.4.S0

*Detailed information about the hardware version is described in the installation guide.

Mitigation

  • Disable the web server of the device.
  • Use the CLI interface of the device.
  • Update to the latest firmware.
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Reported by

These vulnerabilities were reported to WAGO by:

  • Dr. Tobias Augustin of IKS – Institut für Kooperative Systeme GmbH
  • Stephan Tigges of IKS – Institut für Kooperative Systeme GmbH
  • Kai Gaul of ABO Wind AG
  • Jan Rübenach of ABO Wind AG

Coordinated done by CERT@VDE.