Share: Email | Twitter

ID

VDE-2023-044

Published

2023-12-05 08:00 (CET)

Last update

2023-12-04 08:35 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
Telecontrol Configurator = *
WagoAppRTU < 1.4.6.0

Summary

The Library WagoAppRTU which is part of the Wago Telecontrol Configurator is prone to improper input validation. By sending specifically crafted MMS packets an attacker can trigger a denial-of-service condition.


Last Update:

Dec. 14, 2023, 3:16 p.m.

Weakness

Improper Input Validation  (CWE-20) 

Summary

The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.


Impact

Affected devices will stop working after receiving specifically crafted packets until restart.

Solution

Mitigation

  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Remediation

A fix for WAGO Telecontrol Configurator is contained within the IEC-library WagoAppRTU 1.4.6.0 and available via Wago support. (A new release is planned for the end of the year.)

Reported by

The vulnerability was reported by Sofia Pisani.

Coordination done by CERT@VDE.