Share: Email | Twitter

ID

VDE-2023-039

Published

2024-03-13 09:30 (CET)

Last update

2024-03-13 09:31 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
750-831/xxx-xxx Controller BACnet/IP <= FW13
750-829 Controller BACnet MS/TP <= FW13
750-88x/xxx-xxx Ethernet Controller 3rd Generation <= FW13
750-852 Ethernet Controller 3rd Generation <= FW13
750-352/xxx-xxx Fieldbus Coupler Ethernet 3rd Generation <= FW13

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning, and updates.

The option to change the configuration data via tools or the web-based-management enabled attackers to prepare cross-site-scripting attacks and under specific circumstances perform remote code execution.

Vulnerabilities



Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device.

Last Update
Aug. 30, 2024, 9:25 a.m.
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

The configuration data page of the web-based-management of affected devices has been vulnerable to stored XSS (Cross-Site Scripting) attacks. This leads to a limited impact of confidentiality and integrity but no impact of availability.

Impact

The web-based management of affected products is vulnerable to Reflective Cross-Site Scripting. This can be used to install malicious code and to gain access to confidential information on a System that connects to the WBM after it has been compromised.

Additionally, the affected products contain a buffer overflow vulnerability which enables attackers to remotely execute code, which could lead to compromise of data and execution of malicious code.

Solution

Mitigation

If not needed, you can deactivate the web-based management to prevent attacks (command line). Disable
unused TCP/UDP-ports. Restrict network access to the device. Do not directly connect the device to the
internet.

Remediation

A fix for the affected firmwares will be provided with the following firmware versions:

  • > FW13 installed on 750-352/xxx-xxx
  • > FW13 installed on 750-88x/xxx-xxx
  • > FW13 installed on 750-852

No fix planned for products:

  • <= FW13 installed on 750-831/xxx-xxx
  • <= FW13 installed on 750-829

Reported by

The vulnerability was reported by Connor Ford from Nettitude.

Coordination done by CERT@VDE.