Share: Email | Twitter

ID

VDE-2024-072

Published

2024-12-03 12:00 (CET)

Last update

2024-12-02 09:23 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
Basic Controller 0750-8001 <= 01.03.03 (FW3)
Basic Controller 0751-8000 <= 01.03.03 (FW3)

Summary

The following firmware versions installed on several devices are vulnerable due to a vulnerability in the CODESYS Control V3 web server.


Last Update:

2. Dezember 2024 11:19

Weakness

Improper Check for Unusual or Exceptional Conditions  (CWE-754) 

Summary

An unauthenticated remote attacker can causes the CODESYS web server to access invalid memory which results in a DoS.


Impact

The configuration UI called web based management is part of the Control runtime system and is also used for the visualization of running applications. Because the web server does not correctly check the return value of an underlying function, it reacts in a wrong way to specifically crafted TLS packets that are received via an HTTPS connection. This causes the web server to access invalid memory and the web server task to crash.

Solution

Remediation

Update to Firmware version 01.04.07 (FW4).

Reported by

CERT@VDE coordinated with WAGO GmbH & Co. KG