SB2020032007 - Multiple vulnerabilities in WAGO PFC200 and WAGO PFC100 Controllers
Published: March 20, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 28 vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2019-5174)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "subnetmask" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) OS Command Injection (CVE-ID: CVE-2019-5173)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "state" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) OS Command Injection (CVE-ID: CVE-2019-5172)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "ntp" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) OS Command Injection (CVE-ID: CVE-2019-5171)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "ip" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) OS Command Injection (CVE-ID: CVE-2019-5170)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "hostname" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) OS Command Injection (CVE-ID: CVE-2019-5169)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "gateway" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) OS Command Injection (CVE-ID: CVE-2019-5168)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "domainname" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) OS Command Injection (CVE-ID: CVE-2019-5175)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "type" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) OS Command Injection (CVE-ID: CVE-2019-5167)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "dns" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Insufficient Resource Pool (CVE-ID: CVE-2019-5149)
CWE-ID: -
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the Web-Based Management (WBM) due to the default configuration of the FastCGI module appears to limit the number of concurrent php-cgi processes to two. A remote attacker can trigger resource exhaustion and cause a denial of service condition on the target webserver.
11) Regular Expression without Anchors (CVE-ID: CVE-2019-5134)
CWE-ID: CWE-777 - Regular Expression without Anchors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the regular expression without anchors issue in the Web-Based Management (WBM) authentication functionality. A remote attacker can use a specially crafted authentication request to bypass regular expression filters and gain access to sensitive information on the target system.
12) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2019-5135)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the an exploitable timing discrepancy issue in the authentication functionality of the Web-Based Management (WBM) web application. A remote attacker can exploit the PHP "crypt()" function and disclose hashed user credentials.
13) Buffer overflow (CVE-ID: CVE-2019-5181)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "subnetmask" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Buffer overflow (CVE-ID: CVE-2019-5180)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "ip" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Buffer overflow (CVE-ID: CVE-2019-5179)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "ntp" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Buffer overflow (CVE-ID: CVE-2019-5178)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "hostname" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Buffer overflow (CVE-ID: CVE-2019-5177)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "domainname" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
18) Buffer overflow (CVE-ID: CVE-2019-5182)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "type" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Buffer overflow (CVE-ID: CVE-2019-5176)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "gateway" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) OS Command Injection (CVE-ID: CVE-2019-5155)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Cloud Connectivity feature. A remote administrator can inject arbitrary OS commands into any of the parameter values contained in the Firmware Update command.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) OS Command Injection (CVE-ID: CVE-2019-5156)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Cloud Connectivity functionality in the "TimeoutPrepared" parameter. A remote administrator can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Improper access control (CVE-ID: CVE-2019-5160)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the Cloud Connectivity functionality. A remote administrator can use a specially crafted HTTPS POST request, bypass implemented security restrictions and gain unauthorized access to firmware update functionality.
23) Insufficient verification of data authenticity (CVE-ID: CVE-2019-5161)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists within the Cloud Connectivity functionality due to the affected software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. A remote administrator can use a specially crafted XML file and execute a shell script with root privileges.
24) OS Command Injection (CVE-ID: CVE-2019-5157)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the Cloud Connectivity functionality in the "TimeoutUnconfirmed" parameter value contained in the Firmware Update command. A remote administrator can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) Buffer overflow (CVE-ID: CVE-2019-5166)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
26) Double Free (CVE-ID: CVE-2019-5184)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted XML cache file, trigger double free error and cause a denial of service condition on the target system, leading to remote code execution.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
27) Buffer overflow (CVE-ID: CVE-2019-5186)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the "interface" parameter due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted xml cache file, trigger memory corruption and cause a denial of service condition on the target system, leading to remote code execution.
28) Buffer overflow (CVE-ID: CVE-2019-5185)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the "state" parameter due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted xml cache file, trigger memory corruption and cause a denial of service condition on the target system, leading to remote code execution.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0939
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0923
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0924
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0948
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0949
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0953
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0954
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0950
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0961
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0965
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0966