WAGO GmbH & Co., is a German company that includes a business division that sells automation components used in critical manufacturing and process industries. Earlier this year, the research team at Cisco Talos uncovered a number of vulnerabilities in WAGO's e!Cockpit integrated development environment and in its PFC100 and PFC200 automation controllers. After Cisco's initial report in March, its Talos team published a follow-up report in October, which included more detailed information on the vulnerabilities and their impact.
The vulnerabilities varied in severity and type, including memory corruption flaws, the discovery of hard-coded encryption keys in the software, cleartext transmission of network communications, authentication and information disclosure vulnerabilities, denial-of-service vulnerabilities, and command injection flaws which could allow an attacker already on the PFC200 device to run commands.
Given the ubiquity of the Linux-based WAGO devices across industries and critical processes, researchers—including Claroty's research team—continually evaluate the security of these proprietary products.
Today, Team82 is publicly disclosing a newly discovered remote command injection vulnerability in the WAGO I/O-Check service protocol. The vulnerability has been issued CVE-2020-12522; CERT@VDE today released an advisory, rating the severity of the vulnerability at 10.0, its highest severity score. This critical flaw would allow an attacker with network access to send crafted packets to the WAGO device and execute code.
The vulnerability affects all firmware versions up to and including FW10. A Shodan search reveals hundreds of these devices are connected to the internet; it's unknown how many of them are running vulnerable firmware versions, since Shodan does not always reveal product or firmware version numbers.
The affected products include: Series PFC100 (750-81xx), Series PFC200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), and Series Wago Touch Panel 600 Marine Line (762-6xxx).
Network managers and operators are advised to upgrade firmware in the WAGO devices to current levels; the vulnerability was fixed in version FW11, released in December 2017. It is likely that many devices are still running vulnerable versions of the affected firmware, and asset owners have likely been unaware of the risk until today's disclosure. It is also likely the company found the vulnerability internally and patched it in 2017.
CERT@VDE recommends as a mitigation that the I/O-Check service protocol be disabled after the product is installed and commissioned. "This is the easiest and (most secure) way to protect your device from the listed vulnerabilities," the advisory says. Other mitigations including restricting network access to the device and avoiding connecting the device directly to the internet.
Claroty researchers built on the previous work done by Cisco Talos to uncover this remote code execution vulnerability.
Specifically, Talos looked at the WAGO PFC200 firmware version 03.02.02(14) and found its command injection flaw in the iocheckd service. Talos said that an attacker must first have established a foothold on the device in order to be able to exploit this vulnerability which requires write privileges. By writing a crafted XML cache file to a location on the device, it could be used to inject OS commands. An attacker could follow that up with malicious packets sent to the device in order to trigger parsing of the cache file. The cache file is used to perform some network configuration duties, and is globally writable, according to Talos.
As the cache file is parsed, Talos said in March, each parameter can be used to inject commands that will run as root; an attacker on the device will be able to do so and elevate privileges to root. An attacker can write their malicious XML file to /tmp/iocheckCache.xml and trigger its parsing with a malicious packet.
Claroty's research started on an earlier version, 2.0.07. The researchers discovered that the management protocol for the WAGO PFC200 runs on TCP port 6626 during initial setup and configuration. The protocol is active by default and remains open after initial configuration.
Claroty's research uncovered that in previous versions (<=FW10), the iocheckd binary that parses the device's management protocol failed to sanitize the configuration parameters, which can lead to remote command execution on the device. The vulnerability is trivial to exploit using a single, specifically crafted TCP packet without authentication in order to run code remotely and either disrupt or manipulate the device.
The fix for both vulnerabilities verifies the hostname before writing to the cache and/or executing the change hostname command.
Claroty has developed a Snort rule that it is sharing with the community that will detect this vulnerability inside industrial environments:
Claroty would also like to thank Talos researcher Kelly Leuschner and her team for its cooperation as we looked deeper into these issues.
CVE-2020-12522Related CWE-78: Improper neutralization of special elements used in OS command—This CVE describes a command injection vulnerability in WAGO I/O-Check service, which allows an attacker with network access to the PFC device to remotely execute code with specially crafted packets.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
