VDE-2022-055 | CERT@VDE

2023-02-16 14:43 (CET) VDE-2022-055

WAGO: Exposure of configuration interface in unmanaged switches

Share: Email | Twitter

ID

VDE-2022-055

Published

2023-02-16 14:43 (CET)

Last update

2023-02-16 14:44 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
852-111/000-001	Unmanaged Switch	= 01

Summary

An unknown and undocumented configuration interface with limited functionality was identified on the affected devices.

CVE ID

CVE-2022-3843

Last Update:

Feb. 16, 2023, 2:42 p.m.

Severity

9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

Weakness

Hidden Functionality (CWE-912)

Summary

In WAGO Unmanaged Switch (852-111/000-001) in firmware version 01 an undocumented configuration interface without authorization allows an remote attacker to read system information and configure a limited set of parameters.

Details

nvd.nist.gov

Impact

An unprivileged attacker can configure network setting to violate confidentiality of transferred packages if the network packages themselves are not protected by cryptographic measures. Additionally, the attacker can violate the availability of network clients by changing network settings (e.g., deactivate network ports).

Solution

Mitigation

Restrict network access to the device.
Do not directly connect the device to the internet

Remediation

A firmware update which fixes the problem is available. Users who want to do a firmware update should contact the WAGO support.

Reported by

Coordination done by CERT@VDE.