VDE-2023-005 | CERT@VDE

2023-06-25 08:00 (CEST) VDE-2023-005

WAGO: Series 750-3x/-8x prone to MODBUS server DoS

Share: Email | Twitter

ID

VDE-2023-005

Published

2023-06-25 08:00 (CEST)

Last update

2025-05-05 08:37 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
750-832/xxx-xxx	BACnet/IP Controller (4th Gen)	<= FW 10
750-332	BACnet/IP Fieldbus Coupler (4th Gen)	<= FW 10
750-823	EtherNet/IP Controller (4th Gen)	<= FW 10
750-893	EtherNet/IP Controller (4th Gen)	<= FW 10
750-363/xxx-xxx	EtherNet/IP Fieldbus Coupler (4th Gen)	<= FW 10
750-365/xxx-xxx	EtherNet/IP M12 Fieldbus Coupler (4th Gen)	<= FW 10
750-862	Modbus TCP Controller (4th Gen)	<= FW 10
750-890/xxx-xxx	Modbus TCP Controller (4th Gen)	<= FW 10
750-891	Modbus TCP Controller (4th Gen)	<= FW 10
750-362/xxx-xxx	Modbus TCP Fieldbus Coupler (4th Gen)	<= FW 10
750-364/xxx-xxx	Modbus TCP M12 Fieldbus Coupler (4th Gen)	<= FW 10

Summary

An unauthenticated attacker with network access to port 502/TCP of the target device can cause a denial-of-service condition by sending multiple specially crafted packets. The MODBUS server does not properly release memory resources that were reserved for incomplete connection attempts by MODBUS clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the MODBUS server.

CVE ID

CVE-2023-1150

Last Update:

Aug. 30, 2024, 9:28 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Uncontrolled Resource Consumption (CWE-400)

Summary

Uncontrolled resource consumption in Series WAGO 750-3x/-8x products may allow an unauthenticated remote attacker to DoS the MODBUS server with specially crafted packets.

Details

cert.vde.com

Impact

Abusing this vulnerability an attacker can crash an affected product, which fully prevents the product to work as intended. After a complete restart the component works as expected.

Solution

Mitigation

In case no MODBUS communication is needed the MODBUS-Server should be deactivated in the product settings of the web-based management.

As general security measures WAGO strongly recommends:

Use general security best practices to protect systems from local and network attacks.
Do not allow direct access to the device from untrusted networks.
Update to the latest firmware according to the table in chapter solutions.
Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium (www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security_compendium.pdf).

Remediation

We recommend all effected users to update to the firmware version listed below:

Series WAGO 750-3x/-8x
Article Number	Fixed in Firmware Version
750-332	FW11 after BACnet certification
750-362/xxx-xxx	FW11 Q3/2023
750-363/xxx-xxx	FW11 Q3/2023
750-364/xxx-xxx	FW11 Q3/2023
750-365/xxx-xxx	FW11 Q3/2023
750-823	FW11 Q3/2023
750-832/xxx-xxx	FW11 after BACnet certification
750-862	FW11 Q1/2023
750-890/xxx-xxx	FW11 Q3/2023
750-891	FW11 Q3/2023
750-893	FW11 Q3/2023

Reported by

WAGO thanks Roman Ezhov from Kaspersky for reporting.

CERT@VDE coordinated with WAGO.