Share: Email | Twitter

ID

VDE-2021-050

Published

2021-11-16 12:02 (CET)

Last update

2021-11-16 12:03 (CET)

Vendor(s)

WAGO

Product(s)

Vulnerable to all vulnerabilities listed above:

Article Number Affected Firmware Versions
750-829 <=FW16
750-831/000-00x <=FW14
750-852 <=FW16
750-880/0xx-xxx <=FW16
750-881 <=FW16
750-882 <=FW16
750-885/0xx-xxx <=FW16
750-889 <=FW16
750-331 <=FW16
750-352/xxx-xxx <=FW16

Vulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:

Article Number Affected Firmware Versions
750-823 <=FW09
750-832/000-00x <=FW09
750-862 <=FW09
750-890/0xx-xxx <=FW09
750-891 <=FW09
750-893 <=FW09
750-332 <=FW09
750-362/xxx-xxx  <=FW09
750-363/xxx-xxx <=FW09
750-364/xxx-xxx <=FW09
750-365/xxx-xxx <=FW09

WAGO devices are not affected by CVE-2021-31885

Summary

Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.

For additional information please consult the official Siemens advisory:

• Advisory SSA-044112

Vulnerabilities



Weakness
Improper Null Termination (CWE-170)
Summary

FTP server does not properly validate the length of the “USER” command, leading to stack-based
buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.

Source
cert-portal.siemens.com 
Weakness
Improper Null Termination (CWE-170)
Summary

The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is
NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-ofbound ...

Source
cert-portal.siemens.com 
Weakness
Improper Null Termination (CWE-170)
Summary

FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stackbased buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.

Source
cert-portal.siemens.com 
Weakness
Improper Null Termination (CWE-170)
Summary

FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stackbased buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.

Source
cert-portal.siemens.com 
Weakness
Improper Validation of Specified Quantity in Input (CWE-1284)
Summary

The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various
side effects, including Information Leak and Denial-of-Service conditions, depending on the network
buffer ...

Source
cert-portal.siemens.com 
Weakness
Improper Handling of Inconsistent Structural Elements (CWE-240)
Summary

The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side
effects, including Information Leak and Denial-of-Service conditions, depending on the network ...

Source
cert-portal.siemens.com 
Weakness
Improper Validation of Specified Quantity in Input (CWE-1284)
Summary

The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a ...

Source
cert-portal.siemens.com 
Weakness
Integer Underflow (Wrap or Wraparound) (CWE-191)
Summary

Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-ofService conditions.

Source
cert-portal.siemens.com 
Weakness
Out-of-bounds Read (CWE-125)
Summary

When processing a DHCP OFFER message, the DHCP client application does not validate the length
of the Vendor option(s), leading to Denial-of-Service conditions.

Source
cert-portal.siemens.com 
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

When processing a DHCP ACK message, the DHCP client application does not validate the length of
the Vendor option(s), leading to Denial-of-Service conditions.

Source
cert-portal.siemens.com 
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

The DHCP client application does not validate the length of the Domain Name Server IP option(s)
(0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. 

Source
cert-portal.siemens.com 
Weakness
Access of Resource Using Incompatible Type (‘Type Confusion’) (CWE-843)
Summary

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) ...

Source
cert-portal.siemens.com 

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.

Solution

Remediation

For fieldbus coupler:

  • 750-332
  • 750-362/xxx-xxx
  • 750-363/xxx-xxx
  • 750-364/xxx-xxx
  • 750-365/xxx-xxx

For PLCs:

  • 750-823
  • 750-832/xxx-xxx
  • 750-862
  • 750-890/xxx-xxx
  • 750-891
  • 750-893

We recommend all effected users to update to the firmware version listed below:

Article Number Fixed in Firmware Version Availability
750-823 >=FW10 January 2022
750-832/000-00x >=FW10 After BACnet certification
750-862 >=FW10 January 2022
750-890/xxx-xxx >=FW10 January 2022
750-891 >=FW10 January 2022
750-893 >=FW10 January 2022
750-332 >=FW10 After BACnet certification
750-362/xxx-xxx >=FW10 January 2022
750-363/xxx-xxx >=FW10 January 2022
750-364/xxx-xxx >=FW10 January 2022
750-365/xxx-xxx >=FW10 January 2022

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the DHCP, DNS and the FTP port 21.
  5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].

For fieldbus coupler:

  • 750-331
  • 750-352/xxx-xxx

For PLCs:

  • 750-829
  • 750-831/xxx-xxx
  • 750-852
  • 750-880/xxx-xxx
  • 750-881
  • 750-889

The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:

1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://cert.vde.com/de/ for an update of this Advisory.

Reported by

These vulnerabilities were reported by

  • Yuval Halaban, Uriel Malin, and Tal Zohar from Medigate
  • Daniel dos Santos, Amine Amri, and Stanislav Dashevskyi from Forescout Technologies

Coordination with WAGO done by CERT@VDE.