The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to read and write some special parameters without authentication.
This vulnerability is different to advisory SAV-2020-014 / VDE-2020-028.



WAGO: OpenSSL DoS Vulnerability in PLCs

WAGO controllers have always been designed for easy connection to IT infrastructure. Even controllers from legacy product lines support encryption standards to ensure secure communication.
With special crafted requests it is possible to bring the device out of operation.
All listed devices are vulnerable for this denial of service attack.



Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1.

The impact of the vulnerabilities on the affected device may result in

  • denial of service
  • remote code execution
  • code exposure



TruControl laser control software from versions 1.04 to 3.0.0 use codesys runtime versions affected by multiple CVEs:

CVE-2021-29242, CVE-2021-29241, CVE-2019-5105, CVE-2020-7052, CVE-2019-9012, CVE-2019-9010, CVE-2019-9009, CVE-2018-10612

In addition to the CVEs listed above, the affected products are also affected by the following three vulnerabilites without a CVE ID:

CODESYS Advisory 2018-07

A crafted communication request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition.

CVSSv3.0 base score 6.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Link to advisory


CODESYS Advisory 2018-04

The CODESYS runtime system allows to access files outside the restricted working directory of the controller by online services

CVSSv3.0 base score 9.9
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Link to advisory


CODESYS Advisory 2017-03

A crafted request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition

CVSSv3.0 base score 7.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Link to advisory



Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.



A device on the same network as the controller sending a special crafted JSON request to the /auth/access-token endpoint may cause the controller to restart (CWE-20).

UPDATE A

The CVSS score has been raised from 7.7 (CVSS:3.0:AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) to 9.1 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)



Third party Niche Ethernet stack has several vulnerabilities announced by the security researcher’s community.
Phoenix Contact Classic Line industrial controllers are developed and designed for the use in closed industrial networks. The communication protocols and device access do not feature authentication measures. Remote attackers can use specially crafted IP packets to cause a Denial of Service or a Breach of Integrity of the PLC.



Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0