VDE-2025-009 | CERT@VDE

2025-02-04 12:00 (CET) VDE-2025-009

WAGO: Vulnerabilities in CODESYS Control V3 - OPC UA Stack

Share: Email | Twitter

ID

VDE-2025-009

Published

2025-02-04 12:00 (CET)

Last update

2025-02-04 08:42 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	Basic Controller 100 0750-800x	< 01.04.07 (FW4 Basic Controller)
	CC100 0751-9x01	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	CC100 0751-9x01	< 04.06.03 (70)
	Edge Controller 0752-8303/8000-0002	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	Edge Controller 0752-8303/8000-0002	< 04.06.01 (70)
	PFC100 G1 0750-810x/xxxx-xxxx	>=03.06.10 (FW18)\| < 03.10.11 FW(22 Patch 2)
	PFC100 G1 0750-810x/xxxx-xxxx	< 03.10.11 (70)
	PFC100 G2 0750-811x-xxxx-xxxx	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	PFC100 G2 0750-811x-xxxx-xxxx	< 04.06.01 (70)
	PFC200 G1 750-820x-xxx-xxx	>=03.06.10 (FW18)\| < 03.10.11 FW(22 Patch 2)
	PFC200 G1 750-820x-xxx-xxx	< 03.10.11 (70)
	PFC200 G2 750-821x-xxx-xxx	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	PFC200 G2 750-821x-xxx-xxx	< 04.06.01 (70)
	TP600 0762-420x/8000-000x	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	TP600 0762-420x/8000-000x	< 04.06.01 (70)
	TP600 0762-430x/8000-000x	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	TP600 0762-430x/8000-000x	< 04.06.01 (70)
	TP600 0762-520x/8000-000x	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	TP600 0762-520x/8000-000x	< 04.06.01 (70)
	TP600 0762-530x/8000-000x	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	TP600 0762-530x/8000-000x	< 04.06.01 (70)
	TP600 0762-620x/8000-000x	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	TP600 0762-620x/8000-000x	< 04.06.01 (70)
	TP600 0762-630x/8000-000x	>=03.06.10 (FW18)\| < 04.05.10 (FW27)
	TP600 0762-630x/8000-000x	< 04.06.01 (70)

Summary

Several WAGO Firmwares are vulnerable to an incorrect calculation of the buffer size in the CODESYS OPC UA STACK. This can lead to a crash of the runtime of the affected firmware versions installed on several devices.

CVE ID

CVE-2024-5000

Last Update:

Aug. 30, 2024, 9:24 a.m.

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness

Incorrect Calculation of Buffer Size (CWE-131)

Summary

An unauthenticated remote attacker can use a malicious OPC UA client to send a crafted request to affected CODESYS products which can cause a DoS due to incorrect calculation of buffer size.

Details

cert.vde.com

Impact

The OPC UA Stack is used by both the CODESYS OPC UA Server and Client for data exchange with OPC UA clients like SCADA or HMIs, and OPC UA servers like PLCs. A vulnerability exists where a specially crafted request can cause the system to miscalculate the buffer size, leading to a crash during buffer initialization. Attackers can exploit this flaw by sending malicious requests to crash the CODESYS runtime system. The CODESYS Control runtime system includes both the OPC UA client and server, while the CODESYS HMI includes only the OPC UA client.

Solution

Mitigation

The incorrect calculation of the buffer size can be avoided if the maximum supported array length of the OPC UA stack of the CODESYS Control runtime system is limited to a value of 10129639 (Stack.MaxArrayLenth=10129639) or less. This can be achieved by adding the following setting in the runtime configuration under the following path: /etc/codesys3.d/codesyscotrol.cfg

Remediation

Update to Firmware version 22 Patch 2, Firmware version 27 or Firmware version 4 for the basic controller. For the latest custom firmware, please contact the WAGO support.

Reported by

CERT@VDE coordinated with WAGO