Share: Email | Twitter

ID

VDE-2020-006

Published

2020-03-09 10:05 (CET)

Last update

2020-03-09 10:05 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
750-81xx/xxx-xxx (PFC100) FW05 <= FW14
750-82xx/xxx-xxx (PFC200) FW05 <= FW14
762-4xxx FW05 <= FW14
762-5xxx FW05 <= FW14
762-6xxx FW05 <= FW14

Summary

With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134 , the password salt can also be extracted.

Vulnerabilities



Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC200 versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 version 03.00.39(12). A specially crafted ...

Weakness
Observable Discrepancy (CWE-203)
Summary

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() ...

Impact

These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.

Solution

Mitigation

  • Use strong passwords for all user accounts, especially for administrative user accounts on the device.
  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet
  • Disable unused TCP/UDP-ports

Solution

Update the devices to standard firmware 15 or later versions.

Reported by

These vulnerabilities were reported to WAGO by:

  • Daniel Szameitat, innogy SE
  • Jan Hoff, innogy SE
  • Daniel Patrick DeSantis, Cisco Talos
  • Lilith [-_-], Cisco Talos

Coordination done by CERT@VDE.