| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 750-331 | <= FW16 | |
| 750-332 | <= FW09 | |
| 750-352/xxx-xxx | <= FW16 | |
| 750-362/xxx-xxx | <= FW09 | |
| 750-363/xxx-xxx | <= FW09 | |
| 750-364/xxx-xxx | <= FW09 | |
| 750-365/xxx-xxx | <= FW09 | |
| 750-823 | <= FW09 | |
| 750-829 | <= FW16 | |
| 750-831/000-00x | <= FW14 | |
| 750-832/000-00x | <= FW09 | |
| 750-852 | <= FW16 | |
| 750-862 | <= FW09 | |
| 750-880/0xx-xxx | <= FW16 | |
| 750-881 | <= FW16 | |
| 750-882 | <= FW16 | |
| 750-885/0xx-xxx | <= FW16 | |
| 750-889 | <= FW16 | |
| 750-890/0xx-xxx | <= FW09 | |
| 750-891 | <= FW09 | |
| 750-893 | <= FW09 |
Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.
For additional information please consult the official Siemens advisory:
• Advisory SSA-044112
FTP server does not properly validate the length of the “USER” command, leading to stack-based
buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is
NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-ofbound ...
FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stackbased buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stackbased buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various
side effects, including Information Leak and Denial-of-Service conditions, depending on the network
buffer ...
The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side
effects, including Information Leak and Denial-of-Service conditions, depending on the network ...
The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a ...
Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-ofService conditions.
When processing a DHCP OFFER message, the DHCP client application does not validate the length
of the Vendor option(s), leading to Denial-of-Service conditions.
When processing a DHCP ACK message, the DHCP client application does not validate the length of
the Vendor option(s), leading to Denial-of-Service conditions.
The DHCP client application does not validate the length of the Domain Name Server IP option(s)
(0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions.
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) ...
The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.
WAGO devices are not affected by CVE-2021-31885.
Vulnerable to all vulnerabilities listed above:
750-829, 750-831/000-00x, 750-852, 750-880/0xx-xxx, 750-881, 750-882, 750-885/0xx-xxx, 750-889, 750-331, 750-352/xxx-xxx
Vulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:
750-823, 750-832/000-00x, 750-862, 750-890/0xx-xxx, 750-891, 750-893, 750-332, 750-362/xxx-xxx, 750-363/xxx-xxx, 750-364/xxx-xxx, 750-365/xxx-xxx
Remediation
For fieldbus coupler:
For PLCs:
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification |
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification |
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Mitigation
For fieldbus coupler:
For PLCs:
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://cert.vde.com/de/ for an update of this Advisory.
These vulnerabilities were reported by
Coordination with WAGO done by CERT@VDE.