VDE-2020-006
Vulnerability from csaf_wagogmbhcokg - Published: 2020-03-09 11:00 - Updated: 2025-05-14 12:28Summary
WAGO: Web-Based Management Authentication Vulnerabilities
Notes
Summary: With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134, the password salt can also be extracted.
Impact: These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.
Remediation : Use strong passwords for all user accounts, especially for administrative user accounts on the device.
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet
Disable unused TCP/UDP-ports
Solution
Update the devices to standard firmware 15.
7.5 (High)
Vendor Fix
Use strong passwords for all user accounts, especially for administrative user accounts on the device.
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet
Disable unused TCP/UDP-ports
Solution
Update the devices to standard firmware 15.
5.3 (Medium)
Vendor Fix
Use strong passwords for all user accounts, especially for administrative user accounts on the device.
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet
Disable unused TCP/UDP-ports
Solution
Update the devices to standard firmware 15.
References
Acknowledgments
CERT@VDE
innogy SE
Daniel Szameitat
Jan Hoff
Cisco Talos
Daniel Patrick DeSantis
Lilith [-_-]
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination"
},
{
"names": [
"Daniel Szameitat",
"Jan Hoff"
],
"organization": "innogy SE",
"summary": "reported"
},
{
"names": [
"Daniel Patrick DeSantis",
"Lilith [-_-]"
],
"organization": "Cisco Talos",
"summary": "reported"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134, the password salt can also be extracted.",
"title": "Summary"
},
{
"category": "description",
"text": "These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.",
"title": "Impact"
},
{
"category": "description",
"text": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.\nFollow the instructions in WAGOs handbook Cyber Security for Controller\nRestrict network access to the device.\nDo not directly connect the device to the internet\nDisable unused TCP/UDP-ports\nSolution\n\nUpdate the devices to standard firmware 15.",
"title": "Remediation "
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for \tWAGO",
"url": "https://certvde.com/en/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2020-006: WAGO: Web-Based Management Authentication Vulnerabilities - HTML",
"url": "https://certvde.com/en/advisories/VDE-2020-006/"
},
{
"category": "self",
"summary": "VDE-2020-006: WAGO: Web-Based Management Authentication Vulnerabilities - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-006.json"
}
],
"title": "WAGO: Web-Based Management Authentication Vulnerabilities",
"tracking": {
"aliases": [
"VDE-2020-006"
],
"current_release_date": "2025-05-14T12:28:19.000Z",
"generator": {
"date": "2024-09-26T09:13:21.189Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.11"
}
},
"id": "VDE-2020-006",
"initial_release_date": "2020-03-09T11:00:00.000Z",
"revision_history": [
{
"date": "2020-03-09T09:05:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2024-11-06T11:27:01.000Z",
"number": "2",
"summary": "Fix: correct certvde domain, added self-reference"
},
{
"date": "2025-05-14T12:28:19.000Z",
"number": "3",
"summary": "Fix: firmware category, version space, added distribution"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "PFC100",
"product": {
"name": "Hardware PFC100",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"750-81xx/xxx-xxx"
]
}
}
},
{
"category": "product_name",
"name": "PFC200",
"product": {
"name": "Hardware PFC200",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"750-82xx/xxx-xxx"
]
}
}
},
{
"category": "product_name",
"name": "Touch Panel 600",
"product": {
"name": "Hardware Touch Panel 600",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"762-4xxx",
"762-5xxx",
"762-6xxx"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "FW05\u003c=FW14",
"product": {
"name": "Software FW05\u003c=FW14",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "FW15",
"product": {
"name": "Software FW15",
"product_id": "CSAFPID-22005"
}
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Software FW05\u003c=FW14 installed on Hardware PFC200",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Software FW05\u003c=FW14 installed on Hardware PFC100",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Software FW05\u003c=FW14 installed on Hardware Touch Panel 600",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Software FW15 installed on Hardware PFC200",
"product_id": "CSAFPID-32009"
},
"product_reference": "CSAFPID-22005",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Software FW15 installed on Hardware PFC100",
"product_id": "CSAFPID-32010"
},
"product_reference": "CSAFPID-22005",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Software FW15 installed on Hardware Touch Panel 600",
"product_id": "CSAFPID-32011"
},
"product_reference": "CSAFPID-22005",
"relates_to_product_reference": "CSAFPID-11004"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-5134",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC200 versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 version 03.00.39(12). A specially crafted authentication request can bypass regular expression filters, resulting in sensitive information disclosure.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011"
],
"known_affected": [
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2020-03-09T09:05:00.000Z",
"details": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.\nFollow the instructions in WAGOs handbook Cyber Security for Controller\nRestrict network access to the device.\nDo not directly connect the device to the internet\nDisable unused TCP/UDP-ports\nSolution\n\nUpdate the devices to standard firmware 15.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008"
]
}
],
"title": "CVE-2019-5134"
},
{
"cve": "CVE-2019-5135",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"notes": [
{
"category": "summary",
"text": "An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011"
],
"known_affected": [
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.\nFollow the instructions in WAGOs handbook Cyber Security for Controller\nRestrict network access to the device.\nDo not directly connect the device to the internet\nDisable unused TCP/UDP-ports\nSolution\n\nUpdate the devices to standard firmware 15.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008"
]
}
],
"title": "CVE-2019-5135"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…