Share: Email | Twitter

ID

VDE-2020-015

Published

2020-06-10 10:00 (CEST)

Last update

2020-06-10 10:00 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-82xx/xxx-xxx (PFC200) all versions
762-4xxx all versions
762-5xxx all versions
762-6xxx all versions
750-81xx/xxx-xxx Series PFC100 all versions

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates. 

An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.

 An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.


Last Update:

June 26, 2020, 2:06 p.m.

Weakness

Improper Privilege Management  (CWE-269) 

Summary

An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.


Impact

Based on the described issue, an authenticated attacker is able to install software packages with extended rights. This is an intended functionality to provide the user with a convenient way to install software on the device.

Solution

In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.

 Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2

Mitigation

  • Use strong passwords for administrative accounts on the device
  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.
Coordination done by CERT@VDE.