Externally Controlled Reference to a Resource in Another Sphere in WAGO PFC200 Series

1) Externally Controlled Reference to a Resource in Another Sphere

EUVDB-ID: #VU83406

Risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4089

CWE-ID: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

Exploit availability: No

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected software uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. A remote administrator can access files which they already have access to through an undocumented local file inclusion.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Compact Controller CC100: FW19 - FW26

Edge Controller: FW18 - FW26

PFC100: FW16 - FW26

PFC200: FW16 - FW26

Touch Panel 600 Advanced Line: FW16 - FW26

Touch Panel 600 Marine Line: FW16 - FW26

Touch Panel 600 Standard Line: FW16 - FW26

External links

http://cert.vde.com/en/advisories/VDE-2023-046/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.