The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.
An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.
An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Based on the described issue, an authenticated attacker is able to install software packages with extended rights. This is an intended functionality to provide the user with a convenient way to install software on the device.
In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.
Valid from FW version 03.04.10(16) / chapter 18.104.22.168.2
These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.
Coordination done by CERT@VDE.