SB2020032007 - Multiple vulnerabilities in WAGO PFC200 and WAGO PFC100 Controllers
Published: March 20, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 28 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2019-5174)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "subnetmask" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) OS Command Injection (CVE-ID: CVE-2019-5173)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "state" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) OS Command Injection (CVE-ID: CVE-2019-5172)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "ntp" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) OS Command Injection (CVE-ID: CVE-2019-5171)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "ip" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) OS Command Injection (CVE-ID: CVE-2019-5170)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "hostname" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) OS Command Injection (CVE-ID: CVE-2019-5169)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "gateway" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) OS Command Injection (CVE-ID: CVE-2019-5168)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "domainname" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) OS Command Injection (CVE-ID: CVE-2019-5175)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "type" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) OS Command Injection (CVE-ID: CVE-2019-5167)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the iocheckd service "I/O-Check" function in the "dns" value. A remote authenticated attacker can use a specially crafted XML cache file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Insufficient Resource Pool (CVE-ID: CVE-2019-5149)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the Web-Based Management (WBM) due to the default configuration of the FastCGI module appears to limit the number of concurrent php-cgi processes to two. A remote attacker can trigger resource exhaustion and cause a denial of service condition on the target webserver.
11) Regular Expression without Anchors (CVE-ID: CVE-2019-5134)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the regular expression without anchors issue in the Web-Based Management (WBM) authentication functionality. A remote attacker can use a specially crafted authentication request to bypass regular expression filters and gain access to sensitive information on the target system.
12) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2019-5135)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the an exploitable timing discrepancy issue in the authentication functionality of the Web-Based Management (WBM) web application. A remote attacker can exploit the PHP "crypt()" function and disclose hashed user credentials.
13) Buffer overflow (CVE-ID: CVE-2019-5181)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "subnetmask" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Buffer overflow (CVE-ID: CVE-2019-5180)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "ip" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Buffer overflow (CVE-ID: CVE-2019-5179)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "ntp" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Buffer overflow (CVE-ID: CVE-2019-5178)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "hostname" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Buffer overflow (CVE-ID: CVE-2019-5177)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "domainname" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
18) Buffer overflow (CVE-ID: CVE-2019-5182)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "type" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Buffer overflow (CVE-ID: CVE-2019-5176)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality in the "gateway" value. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) OS Command Injection (CVE-ID: CVE-2019-5155)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Cloud Connectivity feature. A remote administrator can inject arbitrary OS commands into any of the parameter values contained in the Firmware Update command.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) OS Command Injection (CVE-ID: CVE-2019-5156)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Cloud Connectivity functionality in the "TimeoutPrepared" parameter. A remote administrator can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Improper access control (CVE-ID: CVE-2019-5160)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the Cloud Connectivity functionality. A remote administrator can use a specially crafted HTTPS POST request, bypass implemented security restrictions and gain unauthorized access to firmware update functionality.
23) Insufficient verification of data authenticity (CVE-ID: CVE-2019-5161)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists within the Cloud Connectivity functionality due to the affected software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. A remote administrator can use a specially crafted XML file and execute a shell script with root privileges.
24) OS Command Injection (CVE-ID: CVE-2019-5157)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the Cloud Connectivity functionality in the "TimeoutUnconfirmed" parameter value contained in the Firmware Update command. A remote administrator can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) Buffer overflow (CVE-ID: CVE-2019-5166)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted XML cache file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
26) Double Free (CVE-ID: CVE-2019-5184)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted XML cache file, trigger double free error and cause a denial of service condition on the target system, leading to remote code execution.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
27) Buffer overflow (CVE-ID: CVE-2019-5186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the "interface" parameter due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted xml cache file, trigger memory corruption and cause a denial of service condition on the target system, leading to remote code execution.
28) Buffer overflow (CVE-ID: CVE-2019-5185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the "state" parameter due to a boundary error in the iocheckd service "I/O-Check" functionality. A remote authenticated attacker can use a specially crafted xml cache file, trigger memory corruption and cause a denial of service condition on the target system, leading to remote code execution.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0939
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0923
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0924
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0963
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0948
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0949
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0953
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0954
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0950
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0961
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0965
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0966