| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 750-331 | <= FW16 | |
| 750-332 | <= FW09 | |
| 750-352/xxx-xxx | <= FW16 | |
| 750-362/xxx-xxx | <= FW09 | |
| 750-363/xxx-xxx | <= FW09 | |
| 750-364/xxx-xxx | <= FW09 | |
| 750-365/xxx-xxx | <= FW09 | |
| 750-823 | <= FW09 | |
| 750-829 | <= FW16 | |
| 750-831/000-00x | <= FW14 | |
| 750-832/000-00x | <= FW09 | |
| 750-852 | <= FW16 | |
| 750-862 | <= FW09 | |
| 750-880/0xx-xxx | <= FW16 | |
| 750-881 | <= FW16 | |
| 750-882 | <= FW16 | |
| 750-885/0xx-xxx | <= FW16 | |
| 750-889 | <= FW16 | |
| 750-890/0xx-xxx | <= FW09 | |
| 750-891 | <= FW09 | |
| 750-893 | <= FW09 |
Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.
For additional information please consult the official Siemens advisory:
• Advisory SSA-044112
FTP server does not properly validate the length of the “USER” command, leading to stack-based
buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is
NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-ofbound reads, writes, and Denial-of-service conditions.
FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stackbased buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stackbased buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.
WAGO devices are not affected by CVE-2021-31885.
Vulnerable to all vulnerabilities listed above:
750-829, 750-831/000-00x, 750-852, 750-880/0xx-xxx, 750-881, 750-882, 750-885/0xx-xxx, 750-889, 750-331, 750-352/xxx-xxx
Vulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:
750-823, 750-832/000-00x, 750-862, 750-890/0xx-xxx, 750-891, 750-893, 750-332, 750-362/xxx-xxx, 750-363/xxx-xxx, 750-364/xxx-xxx, 750-365/xxx-xxx
Remediation
For fieldbus coupler:
For PLCs:
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification |
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification |
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Mitigation
For fieldbus coupler:
For PLCs:
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://cert.vde.com/de/ for an update of this Advisory.
These vulnerabilities were reported by
Coordination with WAGO done by CERT@VDE.