Summary
The Library WagoAppRTU which is part of the Wago Telecontrol Configurator is prone to improper input validation. By sending specifically crafted MMS packets an attacker can trigger a denial-of-service condition.
Impact
Affected devices will stop working after receiving specifically crafted packets until restart.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Telecontrol Configurator vers:all/* | Telecontrol Configurator vers:all/* | |
| WagoAppRTU < 1.4.6.0 | WagoAppRTU < 1.4.6.0 |
Vulnerabilities
Expand / Collapse allThe MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.
Mitigation
Restrict network access to the device.
Do not directly connect the device to the internet.
Remediation
A fix for WAGO Telecontrol Configurator is contained within the IEC-library WagoAppRTU 1.4.6.0 and available via Wago support. (A new release is planned for the end of the year.)
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 05.12.2023 08:00 | Initial revision. |