Share: Email | Twitter

ID

VDE-2020-008

Published

2020-03-09 10:15 (CET)

Last update

2020-03-09 10:15 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
750-81xx/xxx-xxx (PFC100) >= FW11
750-82xx/xxx-xxx (PFC200) >= FW11
762-4xxx >= FW11
762-5xxx >= FW11
762-6xxx >= FW11

Summary

The Cloud Connectivity of the WAGO PLCs is used to connect the device with the cloud services from different providers. It also supports maintenance functionality with the firmware update function from the WAGO cloud.
An attacker needs an authorized login with administrative privileges on the device in order to exploit the mentioned vulnerabilities.

Vulnerabilities



Last Update
April 14, 2020, 1:23 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node.

Last Update
April 14, 2020, 1:24 p.m.
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject operating system commands into the TimeoutPrepared parameter value contained in the firmware update command.

Last Update
April 14, 2020, 1:24 p.m.
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject OS commands into the TimeoutUnconfirmed parameter value contained in the Firmware Update command.

Last Update
April 14, 2020, 1:23 p.m.
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

An exploitable command injection vulnerability exists in the cloud connectivity feature of WAGO PFC200. An attacker can inject operating system commands into any of the parameter values contained in the firmware update command. This affects WAGO PFC200 Firmware version 03.02.02(14), version 03.01.07(13), and version 03.00.39(12)

Impact

These vulnerabilities allow an attacker which has admin privileges, an Azure cloud account and access to the device to redirect the cloud connection. With thus he is able to get sensitive data.

Solution

Mitigation

Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet

Solution

Use strong passwords for all user accounts, especially for administrative user accounts on the device.

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.
Coordination done by CERT@VDE.