Multiple vulnerabilities in WAGO PFC200 and PFC100



Published: 2019-12-17 | Updated: 2020-03-06
Risk High
Patch available NO
Number of vulnerabilities 9
CVE-ID CVE-2019-5081
CVE-2019-5077
CVE-2019-5080
CVE-2019-5073
CVE-2019-5079
CVE-2019-5078
CVE-2019-5075
CVE-2019-5074
CVE-2019-5082
CWE-ID CWE-119
CWE-306
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Wago PFC200 Controller
Hardware solutions / Firmware

WAGO PFC100 Controller
Hardware solutions / Firmware

Vendor WAGO

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

Updated 06.03.2020

Added vulnerability #9

1) Buffer overflow

EUVDB-ID: #VU23630

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5081

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality within the ReadPCBManuNum message processing code. A remote attacker can send a specially crafted set of packets, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0873


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Authentication for Critical Function

EUVDB-ID: #VU23639

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5077

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The  vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an insufficient authentication mechanism in the iocheckd service "I/O-Check" functionality. A remote attacker can send a specially crafted set of packets which will overwrite the MAC Address stored persistently on the device, cause a denial of service, resulting in the device entering an error state where it ceases all network communications.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0869


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Missing Authentication for Critical Function

EUVDB-ID: #VU23638

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5080

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The  vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an insufficient authentication mechanism in the iocheckd service "I/O-Check" functionality within the factory restore procedure. A remote attacker can send a specially crafted packet, cause a denial of service condition and weaken credentials resulting in the default documented credentials being applied to the device.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0872


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU23637

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5073

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" functionality. A remote attacker can send a specially crafted set of packets, cause an external tool to fail and gain unauthorized access to sensitive information on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0862


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU23635

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5079

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality within the ReadPSN message processing code. A remote attacker can send a specially crafted set of packets, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0871


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Missing Authentication for Critical Function

EUVDB-ID: #VU23634

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5078

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The  vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an insufficient authentication mechanism in the iocheckd service "I/O-Check" functionality. A remote attacker can send a specially crafted set of packets and cause a denial of service condition, resulting in the device entering an error state where it ceases all network communications.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0870


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

EUVDB-ID: #VU23632

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5075

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in iocheckd service "I/O-Check" functionality in the command line utility "getcouplerdetails". A remote attacker can send a specially crafted set of packets, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0864


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

EUVDB-ID: #VU23631

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5074

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality when generating a response to the "BC_ProductLabel" message. A remote attacker can send a specially crafted set of packets, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0863


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU25794

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-5082

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality within the ReadPCBManuNum message processing code. A remote attacker can send a specially crafted set of packets, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Wago PFC200 Controller: 03.00.39(12) - 03.01.07(13)

WAGO PFC100 Controller: 03.00.39(12)

External links

http://talosintelligence.com/vulnerability_reports/TALOS-2019-0874


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###