WAGO: Multiple vulnerabilities in docker configuration

The PLC Runtime Services property in the Configuration tab allows administrators to modify the CODESYS service configuration, enabling engineers to install applications on the PLC device. This functionality is hidden from regular user profiles in the frontend and is documented as admin-only in the user manual. However, despite the PLC Runtime Services tab being inaccessible to regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This allows them to modify the service configuration, potentially disabling the authentication required for the CODESYS V3 service, giving full access to the PLC's application layer. A proof-of-concept demonstrates that a user-level session can successfully modify the PLC Runtime Settings via an HTTP request, disabling CODESYS V3 authentication.

The savesram command in the PLC Shell functionality of the CODESYS framework allows authenticated users to save the device's memory to a backup file on the system. However, this feature does not properly sanitize the user input for the parameter, allowing attackers to specify arbitrary file paths using characters like ../. The server-side daemon appends the .ret extension, so an input like ../../etc/passwd becomes /etc/passwd.ret, which doesn't exist.

The saveretain command in the PLC Shell functionality of the CODESYS framework allows authenticated users to save backup data to a specified file location. However, this functionality does not properly sanitize user input for the parameter, enabling an attacker to specify arbitrary files on the system using special characters like ../. The specified file is then deleted by the CODESYS server-side daemon, resulting in arbitrary file deletion with root privileges. For example, an attacker can specify a critical file like /etc/passwd as ../../etc/passwd, leading to its deletion and causing a permanent denial-of-service. This vulnerability can be exploited by a low-privileged user who, after bypassing CODESYS authentication using a related vulnerability (NN-2024-0071), gains access to the PLC programming framework.

The Boot mode configuration in the Security tab allows an administrator to change the device's boot mode, determining the firmware location to be executed. This functionality is hidden from regular user profiles in the frontend and is documented as admin-only in the user manual. However, although the Security tab is not visible to regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This enables them to modify the boot mode configuration, potentially causing a denial-of-service attack or altering the firmware upgrade process. A proof-of-concept shows that a user-level session can successfully modify the boot configuration mode through a crafted HTTP request.

The BACNet Configuration property in the Fieldbus tab allows administrators to configure the BACNet service, including enabling, disabling, and modifying its properties. While the web interface correctly restricts low-privileged users by displaying this tab as read-only, as only administrators should be able to change the BACNet service according to the user manual, this restriction is not enforced on the underlying Linux operating system. As a result, an attacker with user-level access can modify the BACNet configuration through an SSH shell, exploiting weak system permissions.

The restoresram command in the PLC Shell functionality of the CODESYS framework allows authenticated users to restore the device's memory from a backup file on the system. However, this functionality does not properly sanitize the user input for the parameter, allowing an attacker to specify arbitrary file paths using special characters like ../. The server-side CODESYS daemon appends the .ret extension to the specified file, so input like ../../etc/passwd becomes /etc/passwd.ret, which doesn't exist.

The Network Capture feature in the Diagnostic tab allows administrators to enable or disable the capture of network traffic for diagnostic purposes. Since the Wago PLC device supports unencrypted communication protocols like HTTP and FTP, captured traffic may include sensitive information such as login credentials. According to the user manual, only administrators should have access to download and analyze this data. However, the captured traffic is stored in a publicly readable directory (/var/tmp/pcap) with weak permissions, as shown in the example where the file is saved with -rw-r--r-- permissions. This allows any user with SSH access, including low-privileged users, to read and download the file. The vulnerability allows low-privileged users to bypass access controls, download network traffic data, and extract sensitive information such as administrator credentials, as demonstrated in a proof-of-concept involving a password reset captured via HTTP.

The Docker settings within the Configuration tab allow an administrator to enable or disable the Docker service on the device. This functionality is hidden from regular user profiles in the frontend and is documented as an admin-only feature in the user manual. However, although the Docker Settings tab is shown as read-only for regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This allows them to modify the Docker service configuration, potentially causing a denial-of-service attack on certain services within a Docker container. A proof-of-concept demonstrates how a user-level session can successfully modify the Docker settings via an HTTP request.