WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro

Multiple vulnerabilities were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles with Version 2.3.9.46, 2.3.9.47, 2.3.9.49, 2.3.9.53, 2.3.9.55, 2.3.9.61 and 2.3.9.66 contain vulnerable versions of WIBU-SYSTEMS Codemeter.


CVE-2021-20093: 9.1
CVE-2021-20094: 7.5

WAGO: Web-Based Management Authentication Vulnerability in WAGO 750-36X and WAGO 750-8XX

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to read and write some special parameters without authentication.
This vulnerability is different to advisory SAV-2020-014 / VDE-2020-028.


CVE-2021-34578: 8.1

WAGO: OpenSSL DoS Vulnerability in PLCs

WAGO controllers have always been designed for easy connection to IT infrastructure. Even controllers from legacy product lines support encryption standards to ensure secure communication.
With special crafted requests it is possible to bring the device out of operation.
All listed devices are vulnerable for this denial of service attack.


CVE-2021-34581: 7.5

WAGO: Multiple Vulnerabilities in I/O-Check Service

Multiple vulnerabilities in the WAGO I/O-Check Service were reported.


CVE-2021-34569: 9.8
CVE-2021-34566: 9.1
CVE-2021-34567: 8.2
CVE-2021-34568: 7.5

WAGO: Multiple Vulnerabilities in CODESYS Runtime 2.3

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.


CVE-2021-30192: 9.8
CVE-2021-30193: 9.8
CVE-2021-30188: 9.8
CVE-2021-30189: 9.8
CVE-2021-30190: 9.8
CVE-2021-30194: 9.1
CVE-2021-30195: 7.5
CVE-2021-30186: 7.5
CVE-2021-30191: 7.5
CVE-2021-21000: 7.5
CVE-2021-21001: 6.5
CVE-2021-30187: 5.3

WAGO: Multiple Vulnerabilities in the Web-Based Management Interface

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.


CVE-2021-20998: 9.8
CVE-2021-20995: 7.5
CVE-2021-20997: 7.5
CVE-2021-20994: 6.1
CVE-2021-20993: 5.3
CVE-2021-20996: 5.3

WAGO: Command Injection Vulnerability in I/O-Check Service of multiple products

The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets.


CVE-2020-12522: 9.8

WAGO: PLC families 750-88x and 750-352 prone to DoS attack, versions < FW10 (Update A)

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
Older firmware versions of the PLC family 750-88x and 750-352 are vulnerable for a special denial of service attack.

All newer Firmware releases since FW11, released in December 2017, are not affected.

UPDATE A

Additional, affected devices:

  • 750-331/xxx-xxx
  • 750-829
  • 750-882
  • 750-885


CVE-2020-12516: 7.5

Feeds

Nach Hersteller

Archiv

2024
2023
2022
2021
2020
2019
2018
2017

Legende

(Scoring für CVSS 2.0,3.0+3.1)
keine
Kein CVE verfügbar
Niedrig
0.1 <= 3.9
Mittel
4.0 <= 6.9
Hoch
7.0 <= 8.9
Kritisch
9.0 <= 10.0