VDE-2020-009 | CERT@VDE

2020-03-09 10:18 (CET) VDE-2020-009

WAGO: e!Cockpit Two Update Package Vulnerabilities

Share: Email | Twitter

ID

VDE-2020-009

Published

2020-03-09 10:18 (CET)

Last update

2020-03-09 10:18 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	750-81xx/xxx-xxx (PFC100)	>= FW12
	750-82xx/xxx-xxx (PFC200)	>= FW12
	762-4xxx	>= FW12
	762-5xxx	>= FW12
	762-6xxx	>= FW12

Summary

The firmware update package (WUP) is not signed entirely. The used password offers no additional security, it is just meant to protect from unintentional modifications of the WUP file. Thus only the integrity of the signed firmware part (rauc file) is protected against intended manipulation. An attacker could manipulate the WUP file in a way that additional files with potentially malicious content are added to the WUP file.
In case an authorized user that issues a firmware update could be tricked into installing this manipulated WUP file onto the device, the potentially malicious files would also be copied and installed on to the device and executed with elevated privileges.

Vulnerabilities

CVE-2019-5158

7.8

Last Update

April 14, 2020, 1:27 p.m.

Severity

7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weakness

Use of Hard-coded Credentials (CWE-798)

Summary

An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software v1.6.1.5. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a newer firmware version is being installed. An attacker can create a custom firmware update package with invalid metadata in order to trigger this vulnerability.

Details

nvd.nist.gov

CVE-2019-5159

7.8

Last Update

April 14, 2020, 1:28 p.m.

Severity

7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weakness

Improper Input Validation (CWE-20)

Summary

An exploitable improper input validation vulnerability exists in the firmware update functionality of WAGO e!COCKPIT automation software v1.6.0.7. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers as a part of executing a firmware update, potentially resulting in code execution. An attacker can create a malicious firmware update package file using any zip utility. The user must initiate a firmware update through e!COCKPIT and choose the malicious wup file using the file browser to trigger the vulnerability.

Details

nvd.nist.gov

Impact

The vulnerabilities allow an attacker who is able to exploit the described vulnerabilities and to trick an authorized user into installing the manipulated WUP file on the controller, to manipulate, to add or to remove any files they choose to from the corresponding device. Potentially malicious files may be executed.

Solution

Mitigation

Execute FW-Update only as user „admin“.

Solution

Validate the integrity of the WUP update package by verifying the hash of the file before starting FW update.

Checksums

WAGO_FW0750-8xxx_V030035_IX12_r37384.wup

SHA-512

09b8cfe675b93ae18b78553cdc3eee1264925a941a18bc588ae2c4f35fe07c5631ddedb43d8a9ea9fb1088ab8b46cb9b6f6d4f00fe225fc377be1ed9e642d2b9

SHA-384

7b188a67cdf98350d840694d46e2d46cc1f752f4d14bf4b65988fa6393b7cc6972617c3c58981eb6015fe47ecd643a70

SHA-256

02ae134f255c3a3e1cb65bb235649c49b435cfc023c72b4281a96e1ce42ed1ca

WAGO_FW0750-8xxx_V030039_IX12_r38974.wup (Patch1)

SHA-512

db847f96f1833e22585e485b5fcf80835c4916a001b6d0154e3d701a25e11801ff7c4420bd3d147311c958587e91d466cccaab4754e2116bc26996f9aca7c943

SHA-384

b578b1f9bb4b5ee35d807cc4de0a48dcc9deca50d4d8d1da9371a9dd646b84632b364ebf58298ba27039c85dbaa14db1

SHA-256

c7a2a3267cb3e63ca75cc48189670b3a88eda28043a662c183648ca224882d72

WAGO_FW0750-8xxx_V030107_IX13_r40667.wup

SHA-512

9558b86ec41e7616af4ade37affeacc67aaef3fca5bb435aaf4aadd29915dc04de484867a9f60b025d71a7ec22aebbf1ba6340f9169a2fb4c743e493635e6796

SHA-384

06fb6851b5cbd4322225b9e19e86c06aabe6fe7ec16d9db3317e10f5af7cce3b79e5edac85b25c8d766e7cde1ccc3555

SHA-256

1453514df88baf1746af451d1b7a6f321fc5e4c84fe1c676d88ea52ea668d510

WAGO_FW0750-8xxx_V030202_IX14_r42026.wup

SHA-512

8c2fa642dc926e68e68facbbd6687388a75a73cdcde8fef60e30457f805130ab583bc3f0ceaf63f687714af4645a3c6439d4d2da78258cf3db8428603261b476

SHA-384

d80d61182951e0bbf3ee9b6a111cfa316b1ae28c7491fbcd913df432df279276e1c10909715121590e58647e2ccf391f

SHA-256

ded3154778a4f09e676968fac55ce17470940b5000983eff8488c3c92986d7d5

WAGO_FW0750-8xxx_V030310_IX15_r45240.wup

SHA-512

b0fcf793e8597385b55b82b3ac4f312fd59111390db1eeb4753eb7a727a82d7bfd0a046467051cb50a3fc45a2d6001520c256b91e7324b2eab31e7d0b1426057

SHA-384

2ebdb9ef7b12ba5076f8c98e5f8d3af4960aaddd16092d3fb42e4cacff30d98b84ef9a24717a34bc60d4ab45a8cb73e7

SHA-256

cfbc4ab7274b2dd1e40c38efe2ae3f6641482b8bf7775e7ba14791ae04fe9705

Reported by

These vulnerabilities were reported by Kelly Leuschner of Cisco Talos to WAGO.
Coordination done by CERT@VDE.