Share: Email | Twitter

ID

VDE-2020-029

Published

2020-09-30 13:11 (CEST)

Last update

2020-09-30 13:11 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
750-352 <= FW13
750-362 <= FW03
750-363 <= FW03
750-823 <= FW03
750-831/xxx-xxx <= FW13
750-832/xxx-xxx <= FW03
750-852 <= FW13
750-862 <= FW03
750-880/xxx-xxx <= FW13
750-881 <= FW13
750-889 <= FW13
750-890/xxx-xxx <= FW03
750-891 <= FW03

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The SNMP configuration page of the device is vulnerable for a persistent XSS (Cross-Site Scripting) attack.


Last Update:

Oct. 7, 2020, 8:07 a.m.

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  (CWE-79) 

Summary

WAGO 750-88X and WAGO 750-89X Ethernet Controller devices, versions 01.09.18(13) and before, have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi SNMP_DESC or SNMP_LOC_SNMP_CONT field.


Impact

An attacker needs an authorized login on the device in order to exploit the snmp configuration website with malicious scripts. This can be used to install malicious code and to gain access to confidential information.

Solution

Remediation

Update the devices to the following versions:

Product Fixed Versions
750-362 >= FW05
750-363 >= FW05
750-823 >= FW05
750-832/xxx-xxx >= FW05
750-862 >= FW05
750-891 >= FW05
750-890/xxx-xxx >= FW05
750-352 >= FW14
750-831/xxx-xxx >= FW14
750-852 >= FW14
750-880/xxx-xxx >= FW14
750-881 >= FW14
750-889 >= FW14

Mitigation

• Restrict network access to the device.
• Use strong passwords
• Do not directly connect the device to the internet
• Disable unused TCP/UDP-ports

Reported by

Secuninja reported this vulnerability to WAGO.

CERT@VDE coordinated.