Share: Email | Twitter

ID

VDE-2018-010

Published

2018-07-10 11:50 (CEST)

Last update

2018-07-10 11:50 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
e!DISPLAY 762-3000 < FW02
e!DISPLAY 762-3001 < FW02
e!DISPLAY 762-3002 < FW02
e!DISPLAY 762-3003 < FW02

Summary

An unauthenticated user can exploit a vulnerability (CVE-2018-12981) to inject code in the WBM via reflected cross-site scripting (XSS), if he is able trick a user to open a special crafted web site. This could allow an attacker to execute code in the context of the user and execute arbitrary commands with restriction to the permissions of the user. Authenticated users can use a vulnerability to inject code in the WBM via persistent cross-site scripting (XSS) via special crafted requests which will be rendered and/or executed in the browser. Authenticated WBM users can transfer arbitrary files to different file system locations (CVE- 2018-12980) to which the web server has the required permissions and partially allowing replacing existing files due weak file permissions (CVE-2018-12979) which can result in an authentication bypass.

Vulnerabilities



CVE-2018-12980
8.0
Last Update
Jan. 31, 2020, 3:21 p.m.
Severity
8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Weakness
Unrestricted Upload of File with Dangerous Type (CWE-434)
Summary
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.
Details
nvd.nist.gov 
CVE-2018-12981
8.0
Last Update
Jan. 31, 2020, 3:21 p.m.
Severity
8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injecting code within the WBM. The code will be rendered and/or executed in the browser of the user's browser.
Details
nvd.nist.gov 
CVE-2018-12979
7.5
Last Update
Jan. 31, 2020, 3:20 p.m.
Severity
7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Weakness
Incorrect Permission Assignment for Critical Resource (CWE-732)
Summary
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.
Details
nvd.nist.gov 

Impact

This advisory is based upon the report of SEC Consult.

CVE-2018-12981

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE- 79)

Severity: 8.0 (CVSS:3.0:AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injecting code within the WBM. The code will be rendered and/or executed in the browser of the user’s browser.

CVE-2018-12980

Unrestricted Upload of File with Dangerous Type (CWE-434)

Severity: 8.0 (CVSS:3.0:AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.

CVE-2018-12979

Incorrect Permission Assignment for Critical Resource (CWE-732)

Severity: 7.5 (CVSS:3.0:AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.

Solution

Update your device to the latest firmware (FW 02). In case this is not feasible limit the access to trusted users and devices.

For details on how to obtain the new firmware, please send a request by email to support@wago.com.

Reported by

T. Weber of SEC-Consult found multiple vulnerabilities in WAGO e!DISPLAY devices and reported them to CERT@VDE.

CERT@VDE coordinated this release with WAGO and SEC-Consult.

Reference URLs

SEC-Consult Advisory: Link
WAGO Advisory: Link