Article No° | Product Name | Affected Version(s) |
---|---|---|
WAGO CC100 0751-9x01 | <= 4.5.10 (FW27) | |
WAGO Edge Controller 0752-8303/8000-0002 | <= 4.5.10 (FW27) | |
WAGO PFC100 G1 0750-810x/xxxx-xxxx | < 3.10.11 | |
WAGO PFC100 G2 0750-811x-xxxx-xxxx | <= 4.5.10 (FW27) | |
WAGO PFC200 G1 750-820x-xxx-xxx | < 3.10.11 | |
WAGO PFC200 G2 750-821x-xxx-xxx | <= 4.5.10 (FW27) | |
WAGO TP600 0762-420x/8000-000x | <= 4.5.10 (FW27) | |
WAGO TP600 0762-430x/8000-000x | <= 4.5.10 (FW27) | |
WAGO TP600 0762-520x/8000-000x | <= 4.5.10 (FW27) | |
WAGO TP600 0762-530x/8000-000x | <= 4.5.10 (FW27) | |
WAGO TP600 0762-620x/8000-000x | <= 4.5.10 (FW27) | |
WAGO TP600 0762-630x/8000-000x | <= 4.5.10 (FW27) |
Nozomi reported eight vulnerabilities to WAGO affecting different firmwares installed on several devices.
A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS.
A low privileged remote attacker can specify an arbitrary file on the filesystem which may lead to an arbitrary file writes with root privileges.
A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack.
A low privileged remote attacker can overwrite an arbitrary file on the filesystem leading to a DoS and data loss.
A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resource which may lead to a DoS limited to BACNet communication.
A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges.
A low privileged remote attacker may have access to forbidden diagnostic data due to incorrect permission assignment for critical resource.
A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.
The identified vulnerabilities could lead to a denial-of-service attack or alter of the firmware and docker configuration.
Remediation
Update to firmware version 28. A patch beyond FW 22 Patch 2. and therefore for PFC G1 devices, is currently not planned.
CERT@VDE coordinated with WAGO GmbH & Co. KG
Reported by Diego Giubertoni by Nozomi Networks