Share: Email | Twitter

ID

VDE-2021-013

Published

2021-05-05 10:54 (CEST)

Last update

2021-07-07 10:56 (CEST)

Vendor(s)

WAGO

Product(s)

Item number affected FW
0852-0303 <=V1.2.3.S0
0852-1305 <=V1.1.7.S0
0852-1505 <=V1.1.6.S0
0852-1305/000-001 <=V1.0.4.S0
0852-1505/000-001 <=V1.0.4.S0

Summary

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.

Vulnerabilities



Weakness
Missing Authentication for Critical Function ( CWE-306 )
Summary
In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.
Weakness
Cleartext Storage of Sensitive Information ( CWE-312 )
Summary
In multiple managed switches by WAGO in different versions the webserver cookies of the web based UI contain user credentials.
Weakness
Insufficiently Protected Credentials ( CWE-522 )
Summary
In multiple managed switches by WAGO in different versions it is possible to read out the password hashes of all Web-based Management users.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ( CWE-79 )
Summary
In multiple managed switches by WAGO in different versions an attacker may trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.
Weakness
Exposure of Sensitive Information to an Unauthorized Actor ( CWE-200 )
Summary
In multiple managed switches by WAGO in different versions the activated directory listing provides an attacker with the index of the resources located inside the directory.
Weakness
Incorrect Permission Assignment for Critical Resource ( CWE-732 )
Summary
In multiple managed switches by WAGO in different versions special crafted requests can lead to cookies being transferred to third parties.

Impact

By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or to disrupt the device.

Solution

The Web-Based Management is only needed during installation and commissioning, not during normal operations. It is recommended to disable the web server after commissioning. The Command Line Interface (CLI) is an alternative for commissioning the device. This is the easiest and securest way to protect your device from the listed vulnerabilities.

Regardless of the action described above, the vulnerabilities are fixed with following firmware releases.

Item number FW version
0852-0303 (HW < 3)* V1.2.5.S0
0852-0303 (HW >=3)* V1.2.3.S1
0852-1305 V1.1.8.S0
0852-1505 V1.1.7.S0
0852-1305/000-001 V1.1.4.S0
0852-1505/000-001 V1.1.4.S0

*Detailed information about the hardware version is described in the installation guide.

Mitigation

  • Disable the web server of the device.
  • Use the CLI interface of the device.
  • Update to the latest firmware.
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Reported by

These vulnerabilities were reported to WAGO by:

  • Dr. Tobias Augustin of IKS – Institut für Kooperative Systeme GmbH
  • Stephan Tigges of IKS – Institut für Kooperative Systeme GmbH
  • Kai Gaul of ABO Wind AG
  • Jan Rübenach of ABO Wind AG

Coordinated done by CERT@VDE.