Share: Email | Twitter

ID

VDE-2023-007

Published

2023-05-15 10:00 (CEST)

Last update

2023-06-15 07:38 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
751-9301 Compact Controller CC100 FW20 <= FW22
751-9301 Compact Controller CC100 = FW23
752-8303/8000-002 Edge Controller = FW22
750-81xx/xxx-xxx PFC100 FW20 <= FW22
750-82xx/xxx-xxx PFC200 FW20 <= FW22
750-821x/xxx-xxx PFC200 = FW23
762-5xxx Touch Panel 600 Advanced Line = FW22
762-6xxx Touch Panel 600 Marine Line = FW22
762-4xxx Touch Panel 600 Standard Line = FW22

Summary

The “legal information” plugin of web-based-management contained a vulnerability which allowed execution of arbitrary commands with privileges of www user.

UPDATE A 15.06.2023 :

  • Removed PFC100 with FW23 as affected product and from solution
  • PFC200 with FW23 is only affected on 750-821x/xxx-xxx
  • Renamed "FW22 Patch 1" to "FW22 SP1" to match the versions of the download portal

CVE ID

CVE-2023-1698 

Last Update:

May 4, 2023, 9:18 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  (CWE-78) 

Summary

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

Details

cert.vde.com 

Impact

Exploiting the vulnerability provides arbitrary command execution with privileges of the 'www' user. Via this flaw an attacker can change device configuration, create users or even take over the system.

Solution

Mitigation

As general security measures strongly WAGO recommends:

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy.

The BSI provides general information on securing ICS in the ICS Compendium (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security_compendium.pdf).

Remediation

Wago recommends all effected users to update to the firmware version listed below:

Article No° Product Name Fixed Version
751-9301 Compact Controller CC100 FW24
752-8303/8000-002 Edge Controller FW22 SP1 or higher patch level
752-8303/8000-002 Edge Controller FW24
750-81xx/xxx-xxx PFC100 FW22 SP1 or higher patch level
750-82xx/xxx-xxx PFC200 FW22 SP1 or higher patch level
750-821x/xxx-xxx PFC200 FW24
762-5xxx Touch Panel 600 Advanced Line FW22 SP1 or higher patch level
762-5xxx Touch Panel 600 Advanced Line FW24
762-6xxx Touch Panel 600 Marine Line FW22 SP1 or higher patch level
762-6xxx Touch Panel 600 Marine Line FW24
762-4xxx Touch Panel 600 Standard Line FW22 SP1 or higher patch level
762-4xxx Touch Panel 600 Standard Line FW24

Reported by

The vulnerability was reported by Quentin Kaiser from ONEKEY.
Coordination done by CERT@VDE.