Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-5168 (GCVE-0-2019-5168)
Vulnerability from cvelistv5 – Published: 2020-03-10 22:25 – Updated: 2024-08-04 19:47
VLAI?
EPSS
Summary
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system().
Severity ?
No CVSS data available.
CWE
- command injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wago | WAGO PFC200 Firmware |
Affected:
version 03.02.02(14)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:47:56.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WAGO PFC200 Firmware",
"vendor": "Wago",
"versions": [
{
"status": "affected",
"version": "version 03.02.02(14)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system()."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "command injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-10T22:25:57.000Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"ID": "CVE-2019-5168",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WAGO PFC200 Firmware",
"version": {
"version_data": [
{
"version_value": "version 03.02.02(14)"
}
]
}
}
]
},
"vendor_name": "Wago"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "command injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2019-5168",
"datePublished": "2020-03-10T22:25:57.000Z",
"dateReserved": "2019-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:47:56.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:wago:pfc200_firmware:03.02.02\\\\(14\\\\):*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"688A3248-7EAA-499D-A47C-A4D4900CDBD1\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An exploitable command injection vulnerability exists in the iocheckd service \\u2018I/O-Check\\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system().\"}, {\"lang\": \"es\", \"value\": \"Se presenta una vulnerabilidad de inyecci\\u00f3n de comando explotable en la funci\\u00f3n \\\"I/O-Check\\\" del servicio iocheckd de WAGO PFC 200 versi\\u00f3n 03.02.02(14). Un atacante puede enviar un archivo cache XML especialmente dise\\u00f1ado. En 0x1e8a8, el valor de nombre de dominio extra\\u00eddo del archivo xml es usado como argumento para /etc/config-tools/edit_dns_server domain-name=(contents of domainname node) usando la funci\\u00f3n sprintf(). El comando se ejecuta m\\u00e1s tarde por medio de una llamada a la funci\\u00f3n system().\"}]",
"id": "CVE-2019-5168",
"lastModified": "2024-11-21T04:44:28.840",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 7.2, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 3.9, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-03-11T22:27:41.443",
"references": "[{\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962\", \"source\": \"talos-cna@cisco.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "talos-cna@cisco.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-5168\",\"sourceIdentifier\":\"talos-cna@cisco.com\",\"published\":\"2020-03-11T22:27:41.443\",\"lastModified\":\"2024-11-21T04:44:28.840\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system().\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de inyecci\u00f3n de comando explotable en la funci\u00f3n \\\"I/O-Check\\\" del servicio iocheckd de WAGO PFC 200 versi\u00f3n 03.02.02(14). Un atacante puede enviar un archivo cache XML especialmente dise\u00f1ado. En 0x1e8a8, el valor de nombre de dominio extra\u00eddo del archivo xml es usado como argumento para /etc/config-tools/edit_dns_server domain-name=(contents of domainname node) usando la funci\u00f3n sprintf(). El comando se ejecuta m\u00e1s tarde por medio de una llamada a la funci\u00f3n system().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:wago:pfc200_firmware:03.02.02\\\\(14\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"688A3248-7EAA-499D-A47C-A4D4900CDBD1\"}]}]}],\"references\":[{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962\",\"source\":\"talos-cna@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
FKIE_CVE-2019-5168
Vulnerability from fkie_nvd - Published: 2020-03-11 22:27 - Updated: 2024-11-21 04:44
Severity ?
Summary
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system().
References
| URL | Tags | ||
|---|---|---|---|
| talos-cna@cisco.com | https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wago | pfc200_firmware | 03.02.02\(14\) | |
| wago | pfc200 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*",
"matchCriteriaId": "6274B67D-C65B-4834-9DB5-6FB3D0ADD3A9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "688A3248-7EAA-499D-A47C-A4D4900CDBD1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system()."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de inyecci\u00f3n de comando explotable en la funci\u00f3n \"I/O-Check\" del servicio iocheckd de WAGO PFC 200 versi\u00f3n 03.02.02(14). Un atacante puede enviar un archivo cache XML especialmente dise\u00f1ado. En 0x1e8a8, el valor de nombre de dominio extra\u00eddo del archivo xml es usado como argumento para /etc/config-tools/edit_dns_server domain-name=(contents of domainname node) usando la funci\u00f3n sprintf(). El comando se ejecuta m\u00e1s tarde por medio de una llamada a la funci\u00f3n system()."
}
],
"id": "CVE-2019-5168",
"lastModified": "2024-11-21T04:44:28.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-11T22:27:41.443",
"references": [
{
"source": "talos-cna@cisco.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
],
"sourceIdentifier": "talos-cna@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-3Q35-R527-69H9
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI?
Details
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system().
{
"affected": [],
"aliases": [
"CVE-2019-5168"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-11T22:27:00Z",
"severity": "MODERATE"
},
"details": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u0026lt;contents of domainname node\u0026gt; using sprintf().This command is later executed via a call to system().",
"id": "GHSA-3q35-r527-69h9",
"modified": "2022-05-24T22:28:09Z",
"published": "2022-05-24T22:28:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5168"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
],
"schema_version": "1.4.0",
"severity": []
}
CNVD-2020-16841
Vulnerability from cnvd - Published: 2020-03-12
VLAI Severity ?
Title
WAGO PFC200命令注入漏洞(CNVD-2020-16841)
Description
WAGO PFC200是德国WAGO公司的一款可编程逻辑控制器(PLC)。
WAGO PFC200 03.02.02(14)的iocheckd服务‘I/O-Check’功能存在命令注入漏洞。攻击者可通过特制XML缓存文件利用该漏洞注入OS命令。
Severity
高
Formal description
厂商尚未提供漏洞修复方案,请关注厂商主页更新: https://www.wago.com/global/automation-technology/discover-plcs/pfc200
Reference
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962
Impacted products
| Name | WAGO PFC200 03.02.02(14) |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-5168",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-5168"
}
},
"description": "WAGO PFC200\u662f\u5fb7\u56fdWAGO\u516c\u53f8\u7684\u4e00\u6b3e\u53ef\u7f16\u7a0b\u903b\u8f91\u63a7\u5236\u5668\uff08PLC\uff09\u3002\n\nWAGO PFC200 03.02.02(14)\u7684iocheckd\u670d\u52a1\u2018I/O-Check\u2019\u529f\u80fd\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236XML\u7f13\u5b58\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165OS\u547d\u4ee4\u3002",
"formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.wago.com/global/automation-technology/discover-plcs/pfc200",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-16841",
"openTime": "2020-03-12",
"products": {
"product": "WAGO PFC200 03.02.02(14)"
},
"referenceLink": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962",
"serverity": "\u9ad8",
"submitTime": "2020-03-12",
"title": "WAGO PFC200\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-16841\uff09"
}
GSD-2019-5168
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system().
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-5168",
"description": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system().",
"id": "GSD-2019-5168"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-5168"
],
"details": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system().",
"id": "GSD-2019-5168",
"modified": "2023-12-13T01:23:55.059186Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"ID": "CVE-2019-5168",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WAGO PFC200 Firmware",
"version": {
"version_data": [
{
"version_value": "version 03.02.02(14)"
}
]
}
}
]
},
"vendor_name": "Wago"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "command injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"ID": "CVE-2019-5168"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0962"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2020-03-16T14:16Z",
"publishedDate": "2020-03-11T22:27Z"
}
}
}
VAR-202003-0686
Vulnerability from variot - Updated: 2023-12-18 12:27An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name= using sprintf().This command is later executed via a call to system(). (DoS) It may be put into a state. WAGO PFC200 is a programmable logic controller (PLC) from German WAGO company
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-0686",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "pfc200",
"scope": "eq",
"trust": 1.4,
"vendor": "wago",
"version": "03.02.02(14)"
},
{
"model": "pfc200",
"scope": "eq",
"trust": 1.0,
"vendor": "wago",
"version": "03.02.02\\(14\\)"
},
{
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "pfc200",
"version": "03.02.02(14)"
}
],
"sources": [
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "NVD",
"id": "CVE-2019-5168"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:wago:pfc200_firmware:03.02.02\\(14\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-5168"
}
]
},
"cve": "CVE-2019-5168",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.2,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "JVNDB-2019-014883",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2020-16841",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "8ac74de1-9894-453a-b57a-9298929035dc",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2019-014883",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-5168",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2019-014883",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2020-16841",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-351",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc",
"trust": 0.2,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An exploitable command injection vulnerability exists in the iocheckd service \u2018I/O-Check\u2019 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=\u003ccontents of domainname node\u003e using sprintf().This command is later executed via a call to system(). (DoS) It may be put into a state. WAGO PFC200 is a programmable logic controller (PLC) from German WAGO company",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-5168",
"trust": 3.4
},
{
"db": "TALOS",
"id": "TALOS-2019-0962",
"trust": 3.0
},
{
"db": "CNVD",
"id": "CNVD-2020-16841",
"trust": 1.0
},
{
"db": "CNNVD",
"id": "CNNVD-202003-351",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883",
"trust": 0.8
},
{
"db": "IVD",
"id": "FA3FD774-34C0-4201-90D7-EF26130799D5",
"trust": 0.2
},
{
"db": "IVD",
"id": "8AC74DE1-9894-453A-B57A-9298929035DC",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
]
},
"id": "VAR-202003-0686",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
}
],
"trust": 1.63251626
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.4
}
],
"sources": [
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
}
]
},
"last_update_date": "2023-12-18T12:27:38.086000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.wago.com/us/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "NVD",
"id": "CVE-2019-5168"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://talosintelligence.com/vulnerability_reports/talos-2019-0962"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-5168"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-5168"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-09T00:00:00",
"db": "IVD",
"id": "fa3fd774-34c0-4201-90d7-ef26130799d5"
},
{
"date": "2020-03-09T00:00:00",
"db": "IVD",
"id": "8ac74de1-9894-453a-b57a-9298929035dc"
},
{
"date": "2020-03-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"date": "2020-03-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"date": "2020-03-11T22:27:41.443000",
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"date": "2020-03-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-16841"
},
{
"date": "2020-03-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014883"
},
{
"date": "2020-03-16T14:16:07.277000",
"db": "NVD",
"id": "CVE-2019-5168"
},
{
"date": "2020-03-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "WAGO PFC 200 In OS Command injection vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014883"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-351"
}
],
"trust": 0.6
}
}
VDE-2020-011
Vulnerability from csaf_wagogmbhcokg - Published: 2020-03-09 09:30 - Updated: 2025-05-22 13:03Summary
WAGO: Multiple Vulnerabilities in I/O-Check Service
Notes
Summary: An attacker needs an authorized login on the device in order to exploit the herein mentioned vulnerabilities.
The reported vulnerabilities allow a local attacker with valid login credentials who is able to create files on the device to change the devices settings, e.g. default gateway address, time server etc. and potentially execute code.
Impact: By exploiting the described vulnerabilities the attacker potentially is able manipulate or disrupt the device.
Mitigation: * Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Remediation: The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file. The destination buffer sp+0x440 is overflowed with the call to sprintf() for any ip values that are greater than 1024-len('/etc/config-tools/config_interfaces interface=X1 state=enabled ip-address=') in length. A ip value of length 0x3da will cause the service to crash.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 version 03.02.02(14). At 0x1e3f0 the extracted dns value from the xml file is used as an argument to /etc/config-tools/edit_dns_server %s dns-server-nr=%d dns-server-name= using sprintf(). This command is later executed via a call to system(). This is done in a loop and there is no limit to how many dns entries will be parsed from the xml file.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name= using sprintf().This command is later executed via a call to system().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e900 the extracted gateway value from the xml file is used as an argument to /etc/config-tools/config_default_gateway number=0 state=enabled value= using sprintf(). This command is later executed via a call to system().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1e87c the extracted hostname value from the xml file is used as an argument to /etc/config-tools/change_hostname hostname= using sprintf(). This command is later executed via a call to system().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to the extracted hostname value from the xml file that is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address= using sprintf().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e840 the extracted ntp value from the xml file is used as an argument to /etc/config-tools/config_sntp time-server-%d= using sprintf(). This command is later executed via a call to system(). This is done in a loop and there is no limit to how many ntp entries will be parsed from the xml file.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e9fc the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). This command is later executed via a call to system().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1e9fc the extracted subnetmask value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask= using sprintf(). This command is later executed via a call to system().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable command injection vulnerability exists in the iocheckd service 'I/O-Check' function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1ea28 the extracted type value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled config-type= using sprintf(). This command is later executed via a call to system().
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable double free vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can cause a heap pointer to be freed twice, resulting in a denial of service and potentially code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file. The destination buffer sp+0x440 is overflowed with the call to sprintf() for any subnetmask values that are greater than 1024-len('/etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask=') in length. A subnetmask value of length 0x3d9 will cause the service to crash.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file. The destination buffer sp+0x440 is overflowed with the call to sprintf() for any hostname values that are greater than 1024-len('/etc/config-tools/change_hostname hostname=') in length. A hostname value of length 0x3fd will cause the service to crash.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file.
7.8 (High)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len("/etc/config-tools/config_interfaces interface=X1 state=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1eb9c the extracted interface element name from the xml file is used as an argument to /etc/config-tools/config_interfaces interface= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any interface values that are greater than 512-len("/etc/config-tools/config_interfaces interface=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An interface value of length 0x3c4 will cause the service to crash.
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file.The destination buffer sp+0x440 is overflowed with the call to sprintf() for any type values that are greater than 1024-len('/etc/config-tools/config_interfaces interface=X1 state=enabled config-type=') in length. A type value of length 0x3d9 will cause the service to crash.
5.5 (Medium)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file.The destination buffer sp+0x40 is overflowed with the call to sprintf() for any gateway values that are greater than 512-len('/etc/config-tools/config_default_gateway number=0 state=enabled value=') in length. A gateway value of length 0x7e2 will cause the service to crash.
5.5 (Medium)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service 'I/O-Check' functionality of WAGO PFC 200 Firmware version 03.02.02(14). The destination buffer sp+0x440 is overflowed with the call to sprintf() for any domainname values that are greater than 1024-len('/etc/config-tools/edit_dns_server domain-name=') in length. A domainname value of length 0x3fa will cause the service to crash.
5.5 (Medium)
Mitigation
* Disable I/O-Check service.
* Restrict network access to the device.
* Do not directly connect the device to the internet.
* Disable unused TCP/UDP-ports.
Vendor Fix
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.
Regardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.
References
Acknowledgments
CERT@VDE
certvde.com
Cisco Talos
Kelly Leuschner
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Kelly Leuschner "
],
"organization": "Cisco Talos",
"summary": "reporting."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "An attacker needs an authorized login on the device in order to exploit the herein mentioned vulnerabilities.\n\nThe reported vulnerabilities allow a local attacker with valid login credentials who is able to create files on the device to change the devices settings, e.g. default gateway address, time server etc. and potentially execute code.",
"title": "Summary"
},
{
"category": "description",
"text": "By exploiting the described vulnerabilities the attacker potentially is able manipulate or disrupt the device.",
"title": "Impact"
},
{
"category": "description",
"text": "* Disable I/O-Check service.\n* Restrict network access to the device.\n* Do not directly connect the device to the internet.\n* Disable unused TCP/UDP-ports.",
"title": "Mitigation"
},
{
"category": "description",
"text": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "Wago advisory overview at CERT@VDE",
"url": "https://certvde.com/de/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2020-011: WAGO: Multiple Vulnerabilities in I/O-Check Service - HTML",
"url": "https://certvde.com/en/advisories/VDE-2020-011"
},
{
"category": "self",
"summary": "VDE-2020-011: WAGO: Multiple Vulnerabilities in I/O-Check Service - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-011.json"
}
],
"title": "WAGO: Multiple Vulnerabilities in I/O-Check Service",
"tracking": {
"aliases": [
"VDE-2020-011"
],
"current_release_date": "2025-05-22T13:03:10.000Z",
"generator": {
"date": "2025-02-10T14:02:56.511Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.18"
}
},
"id": "VDE-2020-011",
"initial_release_date": "2020-03-09T09:30:00.000Z",
"revision_history": [
{
"date": "2020-03-09T09:30:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-22T13:03:10.000Z",
"number": "2",
"summary": "Fix: version space, quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "750-81xx/xxx-xxx (PFC100)",
"product": {
"name": "Hardware 750-81xx/xxx-xxx (PFC100)",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "750-82xx/xxx-xxx (PFC200)",
"product": {
"name": "Hardware 750-82xx/xxx-xxx (PFC200)",
"product_id": "CSAFPID-11002"
}
},
{
"category": "product_name",
"name": "762-4xxx",
"product": {
"name": "Hardware 762-4xxx",
"product_id": "CSAFPID-11003"
}
},
{
"category": "product_name",
"name": "762-5xxx",
"product": {
"name": "Pepperl+Fuchs Hardware 762-5xxx",
"product_id": "CSAFPID-11004"
}
},
{
"category": "product_name",
"name": "762-6xxx",
"product": {
"name": "Hardware 762-6xxx",
"product_id": "CSAFPID-11005"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cFW16",
"product": {
"name": "Firmware \u003cFW16",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "16",
"product": {
"name": "Pepperl+Fuchs Firmware 16",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
],
"summary": "Affected Products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cFW16 installed on Hardware 750-81xx/xxx-xxx (PFC100)",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cFW16 installed on Hardware 750-82xx/xxx-xxx (PFC200)",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cFW16 installed on Hardware 762-4xxx",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cFW16 installed on Pepperl+Fuchs Hardware 762-5xxx",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cFW16 installed on Hardware 762-6xxx",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-5180",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file. The destination buffer sp+0x440 is overflowed with the call to sprintf() for any ip values that are greater than 1024-len(\u0027/etc/config-tools/config_interfaces interface=X1 state=enabled ip-address=\u0027) in length. A ip value of length 0x3da will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5180"
},
{
"cve": "CVE-2019-5166",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5166"
},
{
"cve": "CVE-2019-5167",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 version 03.02.02(14). At 0x1e3f0 the extracted dns value from the xml file is used as an argument to /etc/config-tools/edit_dns_server %s dns-server-nr=%d dns-server-name= using sprintf(). This command is later executed via a call to system(). This is done in a loop and there is no limit to how many dns entries will be parsed from the xml file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5167"
},
{
"cve": "CVE-2019-5168",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name= using sprintf().This command is later executed via a call to system().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5168"
},
{
"cve": "CVE-2019-5169",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e900 the extracted gateway value from the xml file is used as an argument to /etc/config-tools/config_default_gateway number=0 state=enabled value= using sprintf(). This command is later executed via a call to system().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5169"
},
{
"cve": "CVE-2019-5170",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1e87c the extracted hostname value from the xml file is used as an argument to /etc/config-tools/change_hostname hostname= using sprintf(). This command is later executed via a call to system().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5170"
},
{
"cve": "CVE-2019-5171",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to the extracted hostname value from the xml file that is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address= using sprintf().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5171"
},
{
"cve": "CVE-2019-5172",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e840 the extracted ntp value from the xml file is used as an argument to /etc/config-tools/config_sntp time-server-%d= using sprintf(). This command is later executed via a call to system(). This is done in a loop and there is no limit to how many ntp entries will be parsed from the xml file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5172"
},
{
"cve": "CVE-2019-5173",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e9fc the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). This command is later executed via a call to system().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5173"
},
{
"cve": "CVE-2019-5174",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "\nAn exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1e9fc the extracted subnetmask value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask= using sprintf(). This command is later executed via a call to system().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5174"
},
{
"cve": "CVE-2019-5175",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable command injection vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1ea28 the extracted type value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled config-type= using sprintf(). This command is later executed via a call to system().",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5175"
},
{
"cve": "CVE-2019-5184",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "description",
"text": "An exploitable double free vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can cause a heap pointer to be freed twice, resulting in a denial of service and potentially code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5184"
},
{
"cve": "CVE-2019-5181",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file. The destination buffer sp+0x440 is overflowed with the call to sprintf() for any subnetmask values that are greater than 1024-len(\u0027/etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask=\u0027) in length. A subnetmask value of length 0x3d9 will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5181"
},
{
"cve": "CVE-2019-5178",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file. The destination buffer sp+0x440 is overflowed with the call to sprintf() for any hostname values that are greater than 1024-len(\u0027/etc/config-tools/change_hostname hostname=\u0027) in length. A hostname value of length 0x3fd will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5178"
},
{
"cve": "CVE-2019-5179",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5179"
},
{
"cve": "CVE-2019-5185",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5185"
},
{
"cve": "CVE-2019-5186",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1eb9c the extracted interface element name from the xml file is used as an argument to /etc/config-tools/config_interfaces interface= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any interface values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An interface value of length 0x3c4 will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5186"
},
{
"cve": "CVE-2019-5182",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file.The destination buffer sp+0x440 is overflowed with the call to sprintf() for any type values that are greater than 1024-len(\u0027/etc/config-tools/config_interfaces interface=X1 state=enabled config-type=\u0027) in length. A type value of length 0x3d9 will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5182"
},
{
"cve": "CVE-2019-5176",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache file.The destination buffer sp+0x40 is overflowed with the call to sprintf() for any gateway values that are greater than 512-len(\u0027/etc/config-tools/config_default_gateway number=0 state=enabled value=\u0027) in length. A gateway value of length 0x7e2 will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5176"
},
{
"cve": "CVE-2019-5177",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \u0027I/O-Check\u0027 functionality of WAGO PFC 200 Firmware version 03.02.02(14). The destination buffer sp+0x440 is overflowed with the call to sprintf() for any domainname values that are greater than 1024-len(\u0027/etc/config-tools/edit_dns_server domain-name=\u0027) in length. A domainname value of length 0x3fa will cause the service to crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "* Disable I/O-Check service. \n* Restrict network access to the device. \n* Do not directly connect the device to the internet. \n* Disable unused TCP/UDP-ports.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\nRegardless of the action described above, the vulnerabilities are expected to be fixed in FW16 Release in Q2/2020.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
}
],
"title": "CVE-2019-5177"
}
]
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…