Summary
Pepperl+Fuchs analyzed WirelessHART-Gateways in respect of a critical vulnerability within the Firmware. An attacker may exploit this vulnerability to get access to files and access restricted directories that are stored on the device by manipulating file parameters that reference these. Incoming HTTP requests using fcgi-bin/wgsetcgi and a filename parameter allow a directory / path traversal. A publicly available exploit already exists for this vulnerability.
Impact
Successful vulnerability exploitation enables remote, unauthenticated attackers to gain unauthorized access to arbitrary files on WirelessHART-Gateways. This includes applications, data, credentials and sensitive operating system files.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| WHA-GW-*-ETH | Firmware <03.00.08 | |
| WHA-GW-*-ETH.EIP | Firmware <02.00.01 |
Vulnerabilities
Expand / Collapse allEndress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
Remediation
A Firmware (version see table below), which solves the problem, is available.
Please contact your support representative for this particular firmware package and update the corresponding product.
| Product ID | Version | Bus-Interface of Device |
|---|---|---|
| WHA-GW-*-ETH | 03.00.08 | Modbus |
| WHA-GW-*-ETH.EIP | 02.00.01 | Ethernet/IP |
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 06.03.2019 11:35 | Initial revision. |
| 2 | 06.11.2024 12:27 | Fix: correct certvde domain, added self-reference |
| 3 | 12.03.2025 14:00 | Fix: Version, Remediation |
| 4 | 14.05.2025 15:00 | Fix: added distribution |