With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134 , the password salt can also be extracted.
The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.
The password used by e!Cockpit for authentication against the PLC is encrypted with a hard- coded key. An attacker is able to decrypt the password by listening to the network traffic.
The reported vulnerabilities allow a remote attacker to change the setting, delete the application, set the device to factory defaults, code execution and to cause a system crash or denial of service.
Note(s)
The following products are affected by the listed vulnerabilities:
Series PFC100 (750-81xx/xxx-xxx)
Series PFC200 (750-82xx/xxx-xxx)
The following products are affected by the vulnerability CVE-2019-5078
750-852, 750-831/xxx-xxx, 750-881, 750-880/xxx-xxx, 750-889
750-823, 750-832/xxx-xxx, 750-862, 750-890/xxx-xxx, 750-891
The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations.
Update, 18.9.2019, 18:30
Multiple vulnerabilities have been identified in WAGO 852-303, 852-1305 and 852-1505 industrial managed ethernet switches.
An unauthenticated user can exploit a vulnerability (CVE-2018-12981) to inject code in the WBM via reflected cross-site scripting (XSS), if he is able trick a user to open a special crafted web site. This could allow an attacker to execute code in the context of the user and execute arbitrary commands with restriction to the permissions of the user. Authenticated users can use a vulnerability to inject code in the WBM via persistent cross-site scripting (XSS) via special crafted requests which will be rendered and/or executed in the browser. Authenticated WBM users can transfer arbitrary files to different file system locations (CVE- 2018-12980) to which the web server has the required permissions and partially allowing replacing existing files due weak file permissions (CVE-2018-12979) which can result in an authentication bypass.