VDE-2021-013 | CERT@VDE

2021-05-05 10:54 (CEST) VDE-2021-013

WAGO: Multiple Vulnerabilities in the Web-Based Management Interface

Share: Email | Twitter

ID

VDE-2021-013

Published

2021-05-05 10:54 (CEST)

Last update

2021-05-05 10:54 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	0852-0303	<= V1.2.3.S0
	0852-1305	<= V1.1.7.S0
	0852-1305/000-001	<= V1.0.4.S0
	0852-1505	<= V1.1.6.S0
	0852-1505/000-001	<= V1.0.4.S0

Summary

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.

Vulnerabilities

CVE-2021-20998

9.8

Last Update

July 7, 2021, 10:54 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.

Details

nvd.nist.gov

CVE-2021-20995

7.5

Last Update

July 7, 2021, 10:53 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Weakness

Cleartext Storage of Sensitive Information (CWE-312)

Summary

In multiple managed switches by WAGO in different versions the webserver cookies of the web based UI contain user credentials.

Details

nvd.nist.gov

CVE-2021-20997

7.5

Last Update

July 7, 2021, 10:54 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Weakness

Insufficiently Protected Credentials (CWE-522)

Summary

In multiple managed switches by WAGO in different versions it is possible to read out the password hashes of all Web-based Management users.

Details

nvd.nist.gov

CVE-2021-20994

6.1

Last Update

July 7, 2021, 10:53 a.m.

Severity

6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Summary

In multiple managed switches by WAGO in different versions an attacker may trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.

Details

nvd.nist.gov

CVE-2021-20993

5.3

Last Update

July 7, 2021, 10:53 a.m.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Summary

In multiple managed switches by WAGO in different versions the activated directory listing provides an attacker with the index of the resources located inside the directory.

Details

nvd.nist.gov

CVE-2021-20996

5.3

Last Update

July 7, 2021, 10:53 a.m.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness

Incorrect Permission Assignment for Critical Resource (CWE-732)

Summary

In multiple managed switches by WAGO in different versions special crafted requests can lead to cookies being transferred to third parties.

Details

nvd.nist.gov

Impact

By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or to disrupt the device.

Solution

The Web-Based Management is only needed during installation and commissioning, not during normal operations. It is recommended to disable the web server after commissioning. The Command Line Interface (CLI) is an alternative for commissioning the device. This is the easiest and securest way to protect your device from the listed vulnerabilities.

Regardless of the action described above, the vulnerabilities are fixed with following firmware releases.

Item number	FW version
0852-0303 (HW < 3)*	V1.2.5.S0
0852-0303 (HW >=3)*	V1.2.3.S1
0852-1305	V1.1.8.S0
0852-1505	V1.1.7.S0
0852-1305/000-001	V1.1.4.S0
0852-1505/000-001	V1.1.4.S0

*Detailed information about the hardware version is described in the installation guide.

Mitigation

Disable the web server of the device.
Use the CLI interface of the device.
Update to the latest firmware.
Restrict network access to the device.
Do not directly connect the device to the internet.

Reported by

These vulnerabilities were reported to WAGO by:

Dr. Tobias Augustin of IKS – Institut für Kooperative Systeme GmbH
Stephan Tigges of IKS – Institut für Kooperative Systeme GmbH
Kai Gaul of ABO Wind AG
Jan Rübenach of ABO Wind AG

Coordinated done by CERT@VDE.