Share: Email | Twitter

ID

VDE-2021-014

Published

2021-05-20 11:08 (CEST)

Last update

2021-05-20 11:08 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-8202/xxx-xxx < 03.06.19 (18)
750-8203/xxx-xxx < 03.06.19 (18)
750-8204/xxx-xxx < 03.06.19 (18)
750-8206/xxx-xxx < 03.06.19 (18)
750-8207/xxx-xxx < 03.06.19 (18)
750-8208/xxx-xxx < 03.06.19 (18)
750-8210/xxx-xxx < 03.06.19 (18)
750-8211/xxx-xxx < 03.06.19 (18)
750-8212/xxx-xxx < 03.06.19 (18)
750-8213/xxx-xxx < 03.06.19 (18)
750-8214/xxx-xxx < 03.06.19 (18)
750-8216/xxx-xxx < 03.06.19 (18)
750-8217/xxx-xxx < 03.06.19 (18)
750-823 <= FW07
750-829 <= FW14
750-831/000-00x <= FW14
750-832/000-00x <= FW06
750-852 <= FW14
750-862 <= FW07
750-880/0xx-xxx <= FW15
750-881 <= FW14
750-882 <= FW14
750-885/0xx-xxx <= FW14
750-889 <= FW14
750-890/0xx-xxx <= FW07
750-891 <= FW07
750-893 <= FW07

Summary

Multiple vulnerabilities were reported in CODESYS 2.3 Runtime. The CODESYS 2.3 Runtime is an essential component in several WAGO PLC’s.

Vulnerabilities



CVE-2021-30192
9.8
Last Update
July 7, 2021, 11:07 a.m.
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Incorrect Authorization (CWE-863)
Summary
CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.
Details
nvd.nist.gov 
CVE-2021-30193
9.8
Last Update
July 7, 2021, 11:07 a.m.
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary
CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Write.
Details
nvd.nist.gov 
CVE-2021-30188
9.8
Last Update
Sept. 28, 2021, 9:30 a.m.
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Stack-based Buffer Overflow.

Details
nvd.nist.gov 
CVE-2021-30189
9.8
Last Update
July 7, 2021, 11:07 a.m.
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary
CODESYS V2 Web-Server before 1.1.9.20 has a Stack-based Buffer Overflow.
Details
nvd.nist.gov 
CVE-2021-30190
9.8
Last Update
Nov. 17, 2022, 1:09 p.m.
Severity
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary
CODESYS V2 Web-Server before 1.1.9.20 has Improper Access Control.
Details
nvd.nist.gov 
CVE-2021-30194
9.1
Last Update
July 7, 2021, 11:07 a.m.
Severity
9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Weakness
Out-of-bounds Read (CWE-125)
Summary
CODESYS V2 Web-Server before 1.1.9.20 has an Out-of-bounds Read.
Details
nvd.nist.gov 
CVE-2021-30195
7.5
Last Update
Sept. 28, 2021, 9:30 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Out-of-bounds Read (CWE-125)
Summary

CODESYS V2 runtime system before 2.4.7.55 has Improper Input Validation.

Details
nvd.nist.gov 
CVE-2021-30186
7.5
Last Update
Sept. 28, 2021, 9:31 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

CODESYS V2 runtime system SP before 2.4.7.55 has a Heap-based Buffer Overflow.

Details
nvd.nist.gov 
CVE-2021-30191
7.5
Last Update
July 7, 2021, 11:07 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary
CODESYS V2 Web-Server before 1.1.9.20 has a a Buffer Copy without Checking the Size of the Input.
Details
nvd.nist.gov 
CVE-2021-21000
7.5
Last Update
July 7, 2021, 11:07 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary
On WAGO PFC200 devices in different firmware versions with special crafted packets an attacker with network access to the device could cause a denial of service for the login service of the runtime.
Details
nvd.nist.gov 
CVE-2021-21001
6.5
Last Update
July 7, 2021, 11:07 a.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary
On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.
Details
nvd.nist.gov 
CVE-2021-30187
5.3
Last Update
July 7, 2021, 11:07 a.m.
Severity
5.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary
CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.
Details
nvd.nist.gov 

Impact

The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the CODESYS 2.3 Runtime.

Solution

WAGO recommends all effected users with CODESYS 2.3 Runtime PLCs to update to the firmware version listed below.

Series Ethernet Controller:

Article No. Fixed Version Available
750-823 >=FW08 June 2021
750-829 >=FW15 May 2021
750-831/000-00x
750-832/000-00x >=FW08 June 2021
750-852 >=FW15 May 2021
750-862 >=FW08 June 2021
750-880/0xx-xxx >=FW16 May 2021
750-881 >=FW15 May 2021
750-882
750-885/0xx-xxx
750-889
750-890/0xx-xxx >=FW08 June 2021
750-891
750-893

Series PFC200 Controller

Article No. Fixed Patch Patch
available		 Fixed
Firmware		 Firmware
approx.
available
750-8202/xxx-xxx >=03.06.19 (18) May 2021 >=FW19 August 2021
750-8203/xxx-xxx
750-8204/xxx-xxx
750-8206/xxx-xxx
750-8207/xxx-xxx
750-8208/xxx-xxx
750-8210/xxx-xxx
750-8211/xxx-xxx
750-8212/xxx-xxx
750-8213/xxx-xxx
750-8214/xxx-xxx
750-8216/xxx-xxx
750-8217/xxx-xxx

Mitigation

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.
  3. Update to the latest firmware according to the table in chapter solutions.
  4. Disable the CODESYS 2.3 Web-Visualisation and CODESYS 2.3 port 2455.

For further impact information and risk mitigation, please refer to the official CODESYS Advisory Website at https://www.codesys.com/security/security-reports.html

Reported by

These vulnerabilities were reported by

  • Vyacheslav Moskvin, JSC Positive Technologies
  • Anton Dorfman, JSC Positive Technologies
  • Sergey Fedonin, JSC Positive Technologies
  • Ivan Kurnakov, JSC Positive Technologies
  • Denis Goryushev, JSC Positive Technologies

Coordination done by CERT@VDE.