This vulnerability was reported by BSI via CERT@VDE to WAGO.
| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 750-81xx/xxx-xxx (PFC100) | < FW16 | |
| 750-82xx/xxx-xxx (PFC200) | < FW16 |
WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.
The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. IOActive Security Advisory
If pppd daemon is activated, update the device to firmware 16 or higher.
This vulnerability was reported by BSI via CERT@VDE to WAGO.