The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The configuration backend can in some cases be used without authentication and to write data with root privileges. Additionally, the web-based management suffers a CORS misconfiguration and allows reflected XSS (Cross-Site Scripting) attacks.
An unknown and undocumented configuration interface with limited functionality was identified on the affected devices.
A new LTS Firmware release fixes known vulnerabilities in used open-source libraries.
In addition, the following improvements have been implemented:
HMI
- Hardening against DoS attacks.
- Hardening against memory leak problems in case of network attacks.
WBM
- Umlauts in the password of the “User Manager” were not handled correctly. The password rule for upper and lower case was not followed. This could lead to unintentionally weaker passwords.
- Hardening of WBM against Cross-Site-Scripting.
User Manager
- In security notifications “SecurityToken” was always displayed as “0000000” when creating or modifying users.
- Hardening of Trust and Identity Stores.