VDE-2022-047 | CERT@VDE

2022-10-12 10:00 (CEST) VDE-2022-047

WAGO: FTP-Server - Denial-of-Service

Share: Email | Twitter

ID

VDE-2022-047

Published

2022-10-12 10:00 (CEST)

Last update

2022-10-12 11:50 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
750-330	750-330	<= FW13
750-332	750-332	<= FW10
750-352/xxx-xxx	750-352/xxx-xxx	<= FW14
750-362/xxx-xxx	750-362/xxx-xxx	<= FW10
750-363/xxx-xxx	750-363/xxx-xxx	<= FW10
750-364/xxx-xxx	750-364/xxx-xxx	<= FW10
750-365/xxx-xxx	750-365/xxx-xxx	<= FW10
750-823	750-823	<= FW10
750-829	750-829	<= FW13
750-831/xxx-xxx	750-831/xxx-xxx	<= FW13
750-832/xxx-xxx	750-832/xxx-xxx	<= FW10
750-852	750-852	<= FW16
750-862	750-862	<= FW10
750-880/xxx-xxx	750-880/xxx-xxx	<= FW16
750-881	750-881	<= FW16
750-882	750-882	<= FW16
750-885/xxx-xxx	750-885/xxx-xxx	<= FW16
750-889	750-889	<= FW16
750-890/xxx-xxx	750-890/xxx-xxx	<= FW10
750-891	750-891	<= FW10
750-893	750-893	<= FW10

Summary

The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.
See also: Siemens Advisory published October 11th, 2022 - SSA-313313

CVE ID

CVE-2022-38371

Last Update:

17. November 2022 11:18

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Uncontrolled Resource Consumption (CWE-400)

Summary

A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions), Nucleus Source Code (Versions including affected FTP server). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.

Details

nvd.nist.gov

Impact

Abusing this vulnerability an attacker can crash an affected product, which fully prevents the product to work as intended. After a complete restart the component works as expected.

Solution

Mitigation

If you enabled the FTP-Server, but you do not need FTP data transfer, you can deactivate the FTP Server over the product settings in the web-based management.

As general security measures strongly WAGO recommends:

Use general security best practices to protect systems from local and network attacks.
Do not allow direct access to the device from untrusted networks.
Update to the latest firmware according to the table in chapter solutions.
4. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy.
The BSI provides general information on securing ICS in the ICS Compendium (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security_compendium.pdf).

Solution

Wago recommends all effected users to update to the firmware version listed below:

Series WAGO 750-3x / -8x
Article Number	Fixed Version
750-330	Beta FW17 Q1/2023
750-332	FW11 after BACnet certification
750-352/xxx-xxx	FW17 Q1/2023
750-362/xxx-xxx	FW11 Q1/2023
750-363/xxx-xxx	FW11 Q1/2023
750-364/xxx-xxx	FW11 Q1/2023
750-365/xxx-xxx	FW11 Q1/2023
750-823	FW11 Q1/2023
750-829	Beta FW17 Q1/2023
750-831/xxx-xxx	Beta FW17 Q1/2023
750-832/xxx-xxx	FW11 after BACnet certification
750-852	FW17 Q1/2023
750-862	FW11 Q1/2023
750-880/xxx-xxx	FW17 Q1/2023
750-881	FW17 Q1/2023
750-882	FW17 Q1/2023
750-885/xxx-xxx	FW17 Q1/2023
750-889	FW17 Q1/2023
750-890/xxx-xxx	FW11 Q1/2023
750-891	FW11 Q1/2023
750-893	FW11 Q1/2023

Reported by

The vulnerability was reported by Roman Ezhov from Kaspersky.
Coordination done by CERT@VDE.