Share: Email | Twitter

ID

VDE-2020-010

Published

2020-03-09 10:25 (CET)

Last update

2020-03-09 10:25 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-81xx/xxx-xxx (PFC100) >= FW12
750-82xx/xxx-xxx (PFC200) >= FW12
762-4xxx >= FW12
762-5xxx >= FW12
762-6xxx >= FW12

Summary

An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.
The weakness allows an attacker which has admin privileges on the device to redirect to his own Azure cloud account and install malicious software with the firmware update functionality.


Last Update:

April 14, 2020, 2:51 p.m.

Weakness

Insufficient Verification of Data Authenticity  (CWE-345) 

Summary

An exploitable remote code execution vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted XML file will direct the Cloud Connectivity service to download and execute a shell script with root privileges.


Impact

These vulnerabilities allow an attacker which has admin privileges, an Azure cloud account and also access to the device to redirect the cloud connection. With thus he is able to install any malicious software by manipulating the firmware update file.

An exploitable remote code execution vulnerability exists in the Cloud Connectivity functionality of affected WAGO products. A specially crafted XML file will direct the Cloud Connectivity service to download and execute a shell script with root privileges.

Solution

Mitigation

Check the hashes of the Update packet, do not use update files which has a different hash then the original one
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet
Use an encrypted VPN connection to the device
Disable unused TCP/UDP-ports

Solution

Use strong passwords for all user accounts, especially for administrative user accounts on the device.

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO. Coordination done by CERT@VDE.