Information disclosure in WAGO Series PFC100 and PFC200 devices
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-18202 |
| CWE-ID | CWE-73 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
WAGO PFC100 Series 750-8101/025-000 Hardware solutions / Firmware WAGO PFC100 Series 750-8102/025-000 Hardware solutions / Firmware WAGO PFC100 Series 750-8102 Hardware solutions / Firmware WAGO PFC100 Series 750-8100 Hardware solutions / Firmware WAGO PFC100 Series 750-8101 Hardware solutions / Firmware WAGO PFC200 Series 750-8206/040-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8208/025-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8215 Hardware solutions / Firmware WAGO PFC200 Series 750-8212/000-100 Hardware solutions / Firmware WAGO PFC200 Series 750-8206/040-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8202/040-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8216/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8216/025-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8212/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8212/025-002 Hardware solutions / Firmware WAGO PFC200 Series 750-8216 Hardware solutions / Firmware WAGO PFC200 Series 750-8214 Hardware solutions / Firmware WAGO PFC200 Series 750-8213 Hardware solutions / Firmware WAGO PFC200 Series 750-8212/025-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8212 Hardware solutions / Firmware WAGO PFC200 Series 750-8208/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8208 Hardware solutions / Firmware WAGO PFC200 Series 750-8207/025-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8207/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8207 Hardware solutions / Firmware WAGO PFC200 Series 750-8206/025-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8206/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8206 Hardware solutions / Firmware WAGO PFC200 Series 750-8204/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8204 Hardware solutions / Firmware WAGO PFC200 Series 750-8203/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8203 Hardware solutions / Firmware WAGO PFC200 Series 750-8202/040-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8202/025-002 Hardware solutions / Firmware WAGO PFC200 Series 750-8202/025-001 Hardware solutions / Firmware WAGO PFC200 Series 750-8202/025-000 Hardware solutions / Firmware WAGO PFC200 Series 750-8202 Hardware solutions / Firmware |
| Vendor | WAGO |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) External control of file name or path
EUVDB-ID: #VU21973
Risk: Medium
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18202
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software allows check paths or file names that are used in filesystem operations. A remote attacker can send a specially crafted HTTP request, identify installed software and gain access to sensitive data (e.g. session data stored in the file system).
Mitigation
Install updates FW12 from vendor's website.
WAGO PFC100 Series 750-8101/025-000: All versions
WAGO PFC100 Series 750-8102/025-000: All versions
WAGO PFC100 Series 750-8102: All versions
WAGO PFC100 Series 750-8100: All versions
WAGO PFC100 Series 750-8101: All versions
WAGO PFC200 Series 750-8206/040-001: All versions
WAGO PFC200 Series 750-8208/025-001: All versions
WAGO PFC200 Series 750-8215: All versions
WAGO PFC200 Series 750-8212/000-100: All versions
WAGO PFC200 Series 750-8206/040-000: All versions
WAGO PFC200 Series 750-8202/040-000: All versions
WAGO PFC200 Series 750-8216/025-000: All versions
WAGO PFC200 Series 750-8216/025-001: All versions
WAGO PFC200 Series 750-8212/025-000: All versions
WAGO PFC200 Series 750-8212/025-002: All versions
WAGO PFC200 Series 750-8216: All versions
WAGO PFC200 Series 750-8214: All versions
WAGO PFC200 Series 750-8213: All versions
WAGO PFC200 Series 750-8212/025-001: All versions
WAGO PFC200 Series 750-8212: All versions
WAGO PFC200 Series 750-8208/025-000: All versions
WAGO PFC200 Series 750-8208: All versions
WAGO PFC200 Series 750-8207/025-001: All versions
WAGO PFC200 Series 750-8207/025-000: All versions
WAGO PFC200 Series 750-8207: All versions
WAGO PFC200 Series 750-8206/025-001: All versions
WAGO PFC200 Series 750-8206/025-000: All versions
WAGO PFC200 Series 750-8206: All versions
WAGO PFC200 Series 750-8204/025-000: All versions
WAGO PFC200 Series 750-8204: All versions
WAGO PFC200 Series 750-8203/025-000: All versions
WAGO PFC200 Series 750-8203: All versions
WAGO PFC200 Series 750-8202/040-001: All versions
WAGO PFC200 Series 750-8202/025-002: All versions
WAGO PFC200 Series 750-8202/025-001: All versions
WAGO PFC200 Series 750-8202/025-000: All versions
WAGO PFC200 Series 750-8202: All versions
External linkshttp://cert.vde.com/de-de/advisories/vde-2019-017
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
