Summary
A vulnerability in the web-based management (WBM) of WAGOs programmable logic controller (PLC) could allow an unauthenticated remote attacker to retrieve sensitive information.
Impact
The vulnerability allows a remote, unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup after the last reboot for this attack to be successfull.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 750-81xx/xxx-xxx | Series WAGO PFC100 | Firmware FW16 <= FW22 |
| 750-82xx/xxx-xxx | Series WAGO PFC200 | Firmware FW16 <= FW22 |
| 762-5xxx | Series WAGO Touch Panel 600 Advanced Line | Firmware FW16 <= FW22 |
| 762-6xxx | Series WAGO Touch Panel 600 Marine Line | Firmware FW16 <= FW22 |
| 762-4xxx | Series WAGO Touch Panel 600 Standard Line | Firmware FW16 <= FW22 |
| 751-9301 | WAGO Compact Controller CC100 | Firmware FW16 <= FW22 |
| 752-8303/8000-002 | WAGO Edge Controller | Firmware FW16 <= FW22 |
Vulnerabilities
Expand / Collapse allThe vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup after the last reboot for this attack to be successfull.
Remediation
Install FW22 Patch 1
Acknowledgments
WAGO GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Quentin Kaiser from ONEKEY Research Lab for reporting
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 01/12/2023 08:52 | Initial revision. |