Share: Email | Twitter

ID

VDE-2024-047

Published

2024-11-18 12:00 (CET)

Last update

2024-11-18 10:29 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
WAGO CC100 0751-9x01 <= 4.5.10 (FW27)
WAGO Edge Controller 0752-8303/8000-0002 <= 4.5.10 (FW27)
WAGO PFC100 G1 0750-810x/xxxx-xxxx < 3.10.11
WAGO PFC100 G2 0750-811x-xxxx-xxxx <= 4.5.10 (FW27)
WAGO PFC200 G1 750-820x-xxx-xxx < 3.10.11
WAGO PFC200 G2 750-821x-xxx-xxx <= 4.5.10 (FW27)
WAGO TP600 0762-420x/8000-000x <= 4.5.10 (FW27)
WAGO TP600 0762-430x/8000-000x <= 4.5.10 (FW27)
WAGO TP600 0762-520x/8000-000x <= 4.5.10 (FW27)
WAGO TP600 0762-530x/8000-000x <= 4.5.10 (FW27)
WAGO TP600 0762-620x/8000-000x <= 4.5.10 (FW27)
WAGO TP600 0762-630x/8000-000x <= 4.5.10 (FW27)

Summary

Nozomi reported eight vulnerabilities to WAGO affecting different firmwares installed on several devices.

Vulnerabilities



Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Missing Authentication for Critical Function (306)
Summary

A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS. 

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Path Traversal: '.../...//' (35)
Summary

A low privileged remote attacker can specify an arbitrary file on the filesystem which may lead to an arbitrary file writes with root privileges.

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Missing Authentication for Critical Function (306)
Summary

A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack.

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (22)
Summary

A low privileged remote attacker can overwrite an arbitrary file on the filesystem leading to a DoS and data loss.

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Incorrect Permission Assignment for Critical Resource (732)
Summary

A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resource which may lead to a DoS limited to BACNet communication.

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Path Traversal: '.../...//' (35)
Summary

A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges.

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Incorrect Permission Assignment for Critical Resource (732)
Summary

A low privileged remote attacker may have access to forbidden diagnostic data due to incorrect permission assignment for critical resource.

Last Update
Dec. 2, 2024, 11:18 a.m.
Weakness
Missing Authentication for Critical Function (306)
Summary

A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS. 

Impact

The identified vulnerabilities could lead to a denial-of-service attack or alter of the firmware and docker configuration.

Solution

Remediation

Update to firmware version 28. A patch beyond FW 22 Patch 2. and therefore for PFC G1 devices, is currently not planned.

Reported by

CERT@VDE coordinated with WAGO GmbH & Co. KG

Reported by Diego Giubertoni by Nozomi Networks