Coordination done by CERT@VDE.
| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 750-81xx/xxx-xxx (PFC100) | FW05 <= FW14 | |
| 750-82xx/xxx-xxx (PFC200) | FW05 <= FW14 | |
| 762-4xxx | FW05 <= FW14 | |
| 762-5xxx | FW05 <= FW14 | |
| 762-6xxx | FW05 <= FW14 |
With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134 , the password salt can also be extracted.
An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC200 versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 version 03.00.39(12). A specially crafted authentication request can bypass regular expression filters, resulting in sensitive information disclosure.
An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).
These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.
Mitigation
Solution
Update the devices to standard firmware 15 or later versions.
These vulnerabilities were reported to WAGO by:
Coordination done by CERT@VDE.