VAR-201906-0626
Vulnerability from variot - Updated: 2023-12-18 10:49WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET. WAGO 852-303 , 852-1305 , 852-1505 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WAGOIndustrialManagedSwitches852-303 and so on are all industrial management switches of WAGO, Germany. A security management vulnerability exists in versions prior to WAGOIndustrialManagedSwitches852-3031.2.2.S0, prior to 852-13051.1.6.S0, and prior to 852-15051.1.5.S0. Attackers can use the default password or hardcoded password, hardcoded certificate. Wait for the affected component to attack. Successful attacks can allow a remote attacker to gain unauthorized access to the vulnerable device. SEC Consult Vulnerability Lab Security Advisory < 20190612-0 > ======================================================================= title: Multiple vulnerabilities product: WAGO 852 Industrial Managed Switch Series vulnerable version: 852-303: <v1.2.2.S0 852-1305: <v1.1.6.S0 852-1505: <v1.1.5.S0 fixed version: 852-303: v1.2.2.S0 852-1305: v1.1.6.S0 852-1505: v1.1.5.S0 CVE number: CVE-2019-12550, CVE-2019-12549 impact: high homepage: https://www.wago.com found: 2019-03-08 by: T. Weber (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
"New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."
Source: http://www.wago.us/wago/
Business recommendation:
SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.
1) Known BusyBox Vulnerabilities The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime.
2) Known GNU glibc Vulnerabilities The used GNU glibc in version 2.8 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-0235, "GHOST") was verified by using the MEDUSA scaleable firmware runtime.
4) Embedded Private Keys (CVE-2019-12549) The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key.
Proof of concept:
1) Known BusyBox Vulnerabilities BusyBox version 1.12.0 contains multiple CVEs like: CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147 and more.
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the vulnerability.
ls "pressing "
test ]55;test.txt
2) Known GNU glibc Vulnerabilities GNU glibc version 2.8 contains multiple CVEs like: CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more.
The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system.
3) Hardcoded Credentials (CVE-2019-12550) The following credentials were found in the 'passwd' file of the firmware: root No password is set for the account [EMPTY PASSWORD] admin
By using these credentials, it's possible to connect via Telnet and SSH on the emulated device. Example for Telnet:
[root@localhost ~]# telnet 192.168.0.133 Trying 192.168.0.133... Connected to 192.168.0.133. Escape character is '^]'.
L2SWITCH login: root Password: ~ #
Example for SSH:
[root@localhost ~]# ssh 192.168.0.133 root@192.168.0.133's password: ~ #
4) Embedded Private Keys (CVE-2019-12549) The following host key fingerprint is shown by accessing the SSH daemon on the emulated device:
[root@localhost ~]# ssh 192.168.0.133 The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established. RSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. RSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2.
This matches the embedded private key (which has been removed from this advisory): SSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2
Vulnerable / tested versions:
According to the vendor, the following versions are affected: * 852-303: <v1.2.2.S0 * 852-1305: <v1.1.6.S0 * 852-1505: <v1.1.5.S0
Vendor contact timeline:
2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation 2019-03-26: Asking for a status update, VDE CERT is still waiting for details 2019-03-28: VDE CERT requests information from WAGO again 2019-04-09: Asking for a status update 2019-04-11: VDE CERT: patched firmware release planned for end of May, requested postponement of advisory release 2019-04-16: VDE CERT: update regarding affected firmware versions 2019-04-24: Confirming advisory release for beginning of June 2019-05-20: Asking for a status update 2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date 2019-05-29: Asking for a status update 2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published on 7th June, SEC Consult proposes new advisory release date for 12th June 2019-06-07: VDE CERT provides security advisory information from WAGO; WAGO releases security patches 2019-06-12: Coordinated release of security advisory
Solution:
The vendor provides patches to their customers at their download page. The following versions fix the issues: * 852-303: v1.2.2.S0 * 852-1305: v1.1.6.S0 * 852-1505: v1.1.5.S0
According to the vendor, busybox and glibc have been updated and the embedded private keys are being newly generated upon first boot and after a factory reset.
Workaround:
Restrict network access to the device & SSH server.
Advisory URL:
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2019
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0626",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "852-1505",
"scope": "lt",
"trust": 1.0,
"vendor": "wago",
"version": "1.1.5.s0"
},
{
"model": "852-1305",
"scope": "lt",
"trust": 1.0,
"vendor": "wago",
"version": "1.1.6.s0"
},
{
"model": "852-303",
"scope": "lt",
"trust": 1.0,
"vendor": "wago",
"version": "1.2.2.s0"
},
{
"model": "852-1305",
"scope": null,
"trust": 0.8,
"vendor": "wago",
"version": null
},
{
"model": "852-1505",
"scope": null,
"trust": 0.8,
"vendor": "wago",
"version": null
},
{
"model": "852-303",
"scope": null,
"trust": 0.8,
"vendor": "wago",
"version": null
},
{
"model": "industrial managed switches \u003c1.2.2.s0",
"scope": "eq",
"trust": 0.6,
"vendor": "wago",
"version": "852-303"
},
{
"model": "industrial managed switches \u003c1.1.6.s0",
"scope": "eq",
"trust": 0.6,
"vendor": "wago",
"version": "852-1305"
},
{
"model": "industrial managed switches \u003c1.1.5.s0",
"scope": "eq",
"trust": 0.6,
"vendor": "wago",
"version": "852-1505"
},
{
"model": "industrial managed switches 1.2.1.s0",
"scope": "eq",
"trust": 0.3,
"vendor": "wago",
"version": "852-303"
},
{
"model": "industrial managed switches 1.1.4.s0",
"scope": "eq",
"trust": 0.3,
"vendor": "wago",
"version": "852-1505"
},
{
"model": "industrial managed switches 1.1.5.s0",
"scope": "eq",
"trust": 0.3,
"vendor": "wago",
"version": "852-1305"
},
{
"model": "industrial managed switches 1.2.2.s0",
"scope": "ne",
"trust": 0.3,
"vendor": "wago",
"version": "852-303"
},
{
"model": "industrial managed switches 1.1.5.s0",
"scope": "ne",
"trust": 0.3,
"vendor": "wago",
"version": "852-1505"
},
{
"model": "industrial managed switches 1.1.6.s0",
"scope": "ne",
"trust": 0.3,
"vendor": "wago",
"version": "852-1305"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "BID",
"id": "108759"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "NVD",
"id": "CVE-2019-12550"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:wago:852-303_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.2.2.s0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:wago:852-303:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:wago:852-1305_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.1.6.s0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:wago:852-1305:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:wago:852-1505_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.1.5.s0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:wago:852-1505:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-12550"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber of SEC Consult Vulnerability Lab reported these vulnerabilities to CERT@VDE.,T. Weber of SEC Consult Vulnerability Lab,T. Weber of SEC Consult Vulnerability Lab.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
],
"trust": 0.6
},
"cve": "CVE-2019-12550",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2019-12550",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-25723",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-12550",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-12550",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2019-25723",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-586",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-12550",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET. WAGO 852-303 , 852-1305 , 852-1505 The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WAGOIndustrialManagedSwitches852-303 and so on are all industrial management switches of WAGO, Germany. A security management vulnerability exists in versions prior to WAGOIndustrialManagedSwitches852-3031.2.2.S0, prior to 852-13051.1.6.S0, and prior to 852-15051.1.5.S0. Attackers can use the default password or hardcoded password, hardcoded certificate. Wait for the affected component to attack. \nSuccessful attacks can allow a remote attacker to gain unauthorized access to the vulnerable device. SEC Consult Vulnerability Lab Security Advisory \u003c 20190612-0 \u003e\n=======================================================================\n title: Multiple vulnerabilities\n product: WAGO 852 Industrial Managed Switch Series\n vulnerable version: 852-303: \u003cv1.2.2.S0\n 852-1305: \u003cv1.1.6.S0\n 852-1505: \u003cv1.1.5.S0\n fixed version: 852-303: v1.2.2.S0\n 852-1305: v1.1.6.S0\n 852-1505: v1.1.5.S0\n CVE number: CVE-2019-12550, CVE-2019-12549\n impact: high\n homepage: https://www.wago.com\n found: 2019-03-08\n by: T. Weber (Office Vienna)\n IoT Inspector\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"New ideas are the driving force behind our success WAGO is a family-owned\ncompany headquartered in Minden, Germany. Independently operating for three\ngenerations, WAGO is the global leader of spring pressure electrical\ninterconnect and automation solutions. For more than 60 years, WAGO has\ndeveloped and produced innovative products for packaging, transportation,\nprocess, industrial and building automation markets amongst others. Aside from\nits innovations in spring pressure connection technology, WAGO has introduced\nnumerous innovations that have revolutionized industry. Further ground-breaking\ninventions include: the WAGO-I/O-SYSTEM\u00ae, TOPJOB S\u00ae and WALL-NUTS\u00ae.\"\n\nSource: http://www.wago.us/wago/\n\n\n\nBusiness recommendation:\n------------------------\nSEC Consult recommends to immediately apply the available patches\nfrom the vendor. A thorough security review should be performed by\nsecurity professionals to identify further potential security issues. \nFurthermore, hardcoded password hashes and credentials were also found by doing\nan automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and\nCVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable\nfirmware runtime. The validity of the password hashes and the embedded keys were\nalso verified by emulating the device. \n\n\n1) Known BusyBox Vulnerabilities\nThe used BusyBox toolkit in version 1.12.0 is outdated and contains multiple\nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using\nthe MEDUSA scaleable firmware runtime. \n\n2) Known GNU glibc Vulnerabilities\nThe used GNU glibc in version 2.8 is outdated and contains multiple known\nvulnerabilities. The outdated version was found by IoT Inspector. One of\nthe discovered vulnerabilities (CVE-2015-0235, \"GHOST\") was verified by\nusing the MEDUSA scaleable firmware runtime. \n\n4) Embedded Private Keys (CVE-2019-12549)\nThe device contains hardcoded private keys for the SSH daemon. The fingerprint\nof the SSH host key from the corresponding SSH daemon matches to the embedded\nprivate key. \n\n\nProof of concept:\n-----------------\n1) Known BusyBox Vulnerabilities\nBusyBox version 1.12.0 contains multiple CVEs like:\nCVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325,\nCVE-2015-9261, CVE-2016-2147 and more. \n\nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on\nan emulated device. A file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created\nto trigger the vulnerability. \n\n-------------------------------------------------------------------------------\n# ls \"pressing \u003cTAB\u003e\"\ntest\n]55;test.txt\n#\n-------------------------------------------------------------------------------\n\n\n2) Known GNU glibc Vulnerabilities\nGNU glibc version 2.8 contains multiple CVEs like:\nCVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402,\nCVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more. \n\nThe gethostbyname buffer overflow vulnerability (GHOST) was checked with the help\nof the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled\nand executed on the emulated device to test the system. \n\n\n3) Hardcoded Credentials (CVE-2019-12550)\nThe following credentials were found in the \u0027passwd\u0027 file of the firmware:\n\u003cPassword Hash\u003e \u003cPlaintext\u003e \u003cUser\u003e\n\u003cremoved\u003e \u003cremoved\u003e root\nNo password is set for the account [EMPTY PASSWORD] admin\n\nBy using these credentials, it\u0027s possible to connect via Telnet and SSH on the\nemulated device. Example for Telnet:\n-------------------------------------------------------------------------------\n[root@localhost ~]# telnet 192.168.0.133\nTrying 192.168.0.133... \nConnected to 192.168.0.133. \nEscape character is \u0027^]\u0027. \n\nL2SWITCH login: root\nPassword:\n~ #\n-------------------------------------------------------------------------------\nExample for SSH:\n-------------------------------------------------------------------------------\n[root@localhost ~]# ssh 192.168.0.133\nroot@192.168.0.133\u0027s password:\n~ #\n-------------------------------------------------------------------------------\n\n\n4) Embedded Private Keys (CVE-2019-12549)\nThe following host key fingerprint is shown by accessing the SSH daemon on\nthe emulated device:\n\n[root@localhost ~]# ssh 192.168.0.133\nThe authenticity of host \u0027192.168.0.133 (192.168.0.133)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. \nRSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2. \n\nThis matches the embedded private key (which has been removed from this advisory):\nSSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2\n\n\nVulnerable / tested versions:\n-----------------------------\nAccording to the vendor, the following versions are affected:\n* 852-303: \u003cv1.2.2.S0\n* 852-1305: \u003cv1.1.6.S0\n* 852-1505: \u003cv1.1.5.S0\n\n\nVendor contact timeline:\n------------------------\n2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation\n2019-03-26: Asking for a status update, VDE CERT is still waiting for details\n2019-03-28: VDE CERT requests information from WAGO again\n2019-04-09: Asking for a status update\n2019-04-11: VDE CERT: patched firmware release planned for end of May, requested\n postponement of advisory release\n2019-04-16: VDE CERT: update regarding affected firmware versions\n2019-04-24: Confirming advisory release for beginning of June\n2019-05-20: Asking for a status update\n2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date\n2019-05-29: Asking for a status update\n2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published\n on 7th June, SEC Consult proposes new advisory release date for\n 12th June\n2019-06-07: VDE CERT provides security advisory information from WAGO;\n WAGO releases security patches\n2019-06-12: Coordinated release of security advisory\n\n\nSolution:\n---------\nThe vendor provides patches to their customers at their download page. The\nfollowing versions fix the issues:\n* 852-303: v1.2.2.S0\n* 852-1305: v1.1.6.S0\n* 852-1505: v1.1.5.S0\n\nAccording to the vendor, busybox and glibc have been updated and the embedded\nprivate keys are being newly generated upon first boot and after a factory reset. \n\n\n\nWorkaround:\n-----------\nRestrict network access to the device \u0026 SSH server. \n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult\nEurope | Asia | North America\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It\nensures the continued knowledge gain of SEC Consult in the field of network\nand application security to stay ahead of the attacker. The SEC Consult\nVulnerability Lab supports high-quality penetration testing and the evaluation\nof new offensive and defensive technologies for our customers. Hence our\ncustomers obtain the most current information about vulnerabilities and valid\nrecommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://www.sec-consult.com/en/career/index.html\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://www.sec-consult.com/en/contact/index.html\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF T. Weber / @2019\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "BID",
"id": "108759"
},
{
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"db": "PACKETSTORM",
"id": "153278"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-12550",
"trust": 3.5
},
{
"db": "ICS CERT",
"id": "ICSA-19-164-02",
"trust": 3.4
},
{
"db": "CERT@VDE",
"id": "VDE-2019-013",
"trust": 2.3
},
{
"db": "BID",
"id": "108759",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-25723",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.2117",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201906-586",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-12550",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "153278",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"db": "BID",
"id": "108759"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "PACKETSTORM",
"id": "153278"
},
{
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"id": "VAR-201906-0626",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
}
],
"trust": 1.475
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
}
]
},
"last_update_date": "2023-12-18T10:49:04.926000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.wago.com/us/"
},
{
"title": "WAGOIndustrialManagedSwitches852-303, 852-1305, and 852-1505 Trust Patches for Management Issue Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/172991"
},
{
"title": "WAGO Industrial Managed Switches 852-303 , 852-1305 and 852-1505 Repair measures for trust management problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=93807"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-798",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "NVD",
"id": "CVE-2019-12550"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.5,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-164-02"
},
{
"trust": 2.3,
"url": "https://cert.vde.com/en-us/advisories/vde-2019-013"
},
{
"trust": 1.7,
"url": "https://www.wago.com/us/"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12550"
},
{
"trust": 0.9,
"url": "http://www.wago.com/"
},
{
"trust": 0.9,
"url": "https://www.wago.com/global/download/public/sa-sys-2019-002.pdf/sa-sys-2019-002.pdf"
},
{
"trust": 0.9,
"url": "https://www.wago.com/global/download/public/sa-sys-2019-003.pdf/sa-sys-2019-003.pdf"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12550"
},
{
"trust": 0.7,
"url": "https://www.securityfocus.com/bid/108759"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.2117/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-0296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6301"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1472"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0235"
},
{
"trust": 0.1,
"url": "http://www.wago.us/wago/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2716"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/career/index.html"
},
{
"trust": 0.1,
"url": "https://seclists.org/oss-sec/2015/q1/274."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-4412"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9402"
},
{
"trust": 0.1,
"url": "https://www.wago.com"
},
{
"trust": 0.1,
"url": "https://twitter.com/sec_consult"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-5325"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-9261"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2147"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3856"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9984"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9761"
},
{
"trust": 0.1,
"url": "http://blog.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-4043"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1813"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2148"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/contact/index.html"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"db": "BID",
"id": "108759"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "PACKETSTORM",
"id": "153278"
},
{
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"db": "BID",
"id": "108759"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"db": "PACKETSTORM",
"id": "153278"
},
{
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"date": "2019-06-17T00:00:00",
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"date": "2019-06-13T00:00:00",
"db": "BID",
"id": "108759"
},
{
"date": "2019-06-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"date": "2019-06-13T19:33:38",
"db": "PACKETSTORM",
"id": "153278"
},
{
"date": "2019-06-17T17:15:11.117000",
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"date": "2019-06-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-25723"
},
{
"date": "2019-06-19T00:00:00",
"db": "VULMON",
"id": "CVE-2019-12550"
},
{
"date": "2019-06-13T00:00:00",
"db": "BID",
"id": "108759"
},
{
"date": "2019-06-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-005607"
},
{
"date": "2019-06-19T17:11:41.797000",
"db": "NVD",
"id": "CVE-2019-12550"
},
{
"date": "2019-06-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural WAGO Vulnerabilities related to the use of hard-coded credentials on product devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-005607"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-586"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.