Apache Log4j is used for logging events in WAGO Smart Script in Version 4.2 and higher. Events logged by Log4j can contain JNDI references. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Additionally, Log4j does not protect from self-referential lookups, which can lead to Denial of Service.
UPDATE A1/2:
Affected versions:
CVE-2021-44228 and CVE-2021-45046:
WAGO Smart Script >= Version 4.2 and < Version 4.8.1.3
CVE-2021-45105:
WAGO Smart Script >= Version 4.2 and < Version 4.8.1.4
CVE-2021-44832
WAGO Smart Script >= Version 4.2 and < Version 4.8.1.5
END UPDATE A1/2
An issue was discovered in the myREX24 and myREX24-virtual software in all versions through V2.9.0.
Multiple Vulnerabilities in a software service of shDIALUP can lead to arbitrary code execution due to improper privilege management.
Update A, 2022-03-28
Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLCs. All vulnerable PLCs are listed in chapter ‘Affected Products’.
https://www.codesys.com/security/security-reports.html
A Denial-of-Service Vulnerability was reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s. All vulnerable PLCs are listed in chapter ‘Affected Products’.
https://www.codesys.com/security/security-reports.html
Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.
For additional information please consult the official Siemens advisory:
• Advisory SSA-044112
Cross-site scripting in web-based management and memory leak in the remote logging function of FL MGUARD 1102 and FL MGUARD 1105.
CVE-2021-34582:
The file upload functionality in the web-based management is affected by a stored cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). An authenticated FL MGUARD user with Admin or Super Admin role can upload a certificate file on the Basic settings > LDAP page, on the Logs > Remote logging page, or through the REST API. The content of this file is embedded into the corresponding web page, and any
HTML code within the file is rendered when the page is viewed by the same or a different authenticated user.
CVE-2021-34598:
The remote logging functionality is impaired by the lack of memory release for data structures from syslog-ng when remote logging is active (CWE-770: Allocation of Resources Without Limits or Throttling).
Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.