Summary
WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.
The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.
Impact
By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. IOActive Security Advisory external link
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 750-81xx/xxx-xxx | WAGO Hardware PFC100 | WAGO Software <FW16 |
| 750-82xx/xxx-xxx | WAGO Hardware PFC200 | WAGO Software <FW16 |
Vulnerabilities
Expand / Collapse alleap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
Remediation
If pppd daemon is activated, update the device to firmware 16.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 10.06.2020 12:00 | Initial revision. |
| 2 | 06.11.2024 12:27 | Fix: correct certvde domain, added alias, added self-reference |
| 3 | 14.05.2025 14:28 | Fix: firmware category, version space, added distribution |