VDE-2019-002 | CERT@VDE

2019-03-06 11:35 (CET) VDE-2019-002

Pepperl+Fuchs: Path traversal in WirelessHART Gateway

Share: Email | Twitter

ID

VDE-2019-002

Published

2019-03-06 11:35 (CET)

Last update

2019-03-06 11:35 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No°	Product Name	Affected Version(s)
	WHA-GW-*-ETH	< 03.00.08
	WHA-GW-*-ETH.EIP	< 02.00.01

Summary

Pepperl+Fuchs analyzed WirelessHART-Gateways in respect of a critical vulnerability within the Firmware. An attacker may exploit this vulnerability to get access to files and access restricted directories that are stored on the device by manipulating file parameters that reference these. Incoming HTTP requests using fcgi-bin/wgsetcgi and a filename parameter allow a directory / path traversal. A publicly available exploit already exists for this vulnerability.

CVE ID

CVE-2018-16059

Last Update:

Feb. 18, 2020, 8:01 a.m.

Severity

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Summary

Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.

Details

nvd.nist.gov

Impact

Successful vulnerability exploitation enables remote, unauthenticated attackers to gain unauthorized access to arbitrary files on WirelessHART-Gateways. This includes applications, data, credentials and sensitive operating system files.

Solution

A Firmware (version see table below), which solves the problem, is available. Please contact your support representative for this particular firmware package and update the corresponding product.

Product ID	Version	Bus-Interface of Device
WHA-GW-*-ETH	03.00.08	Modbus
WHA-GW-*-ETH.EIP	02.00.01	Ethernet/IP

Reported by

Hamit CİBO published an exploit for the attack.

PEPPERL+FUCHS reported this vulnerability to CERT@VDE.