|Article No°||Product Name||Affected Version(s)|
The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.
See also: Siemens Advisory published October 11th, 2022 - SSA-313313
A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions), Nucleus Source Code (Versions including affected FTP server). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.
Abusing this vulnerability an attacker can crash an affected product, which fully prevents the product to work as intended. After a complete restart the component works as expected.
If you enabled the FTP-Server, but you do not need FTP data transfer, you can deactivate the FTP Server over the product settings in the web-based management.
As general security measures strongly WAGO recommends:
Wago recommends all effected users to update to the firmware version listed below:
|Series WAGO 750-3x / -8x|
|Article Number||Fixed Version|
|750-330||Beta FW17 Q1/2023|
|750-332||FW11 after BACnet certification|
|750-829||Beta FW17 Q1/2023|
|750-831/xxx-xxx||Beta FW17 Q1/2023|
|750-832/xxx-xxx||FW11 after BACnet certification|
The vulnerability was reported by Roman Ezhov from Kaspersky.
Coordination done by CERT@VDE.