VDE-2020-008

Vulnerability from csaf_wagogmbhcokg - Published: 2020-03-09 09:15 - Updated: 2025-05-14 12:53
Summary
WAGO: Cloud Connectivity Multiple Vulnerabilities
Notes
Summary: The Cloud Connectivity of the WAGO PLCs is used to connect the device with the cloud services from different providers. It also supports maintenance functionality with the firmware update function from the WAGO cloud. An attacker needs an authorized login with administrative privileges on the device in order to exploit the mentioned vulnerabilities.
Impact: These vulnerabilities allow an attacker which has admin privileges, an Azure cloud account and access to the device to redirect the cloud connection. With thus he is able to get sensitive data.
Mitigation: Follow the instructions in WAGOs handbook Cyber Security for Controller Restrict network access to the device. Do not directly connect the device to the internet
Remediation: Use strong passwords for all user accounts, especially for administrative user accounts on the device.
CVE-2019-5160

An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node.

9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-20 - Improper Input Validation
Mitigation Follow the instructions in WAGOs handbook Cyber Security for Controller Restrict network access to the device. Do not directly connect the device to the internet
Vendor Fix Use strong passwords for all user accounts, especially for administrative user accounts on the device.
CVE-2019-5156

An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject operating system commands into the TimeoutPrepared parameter value contained in the firmware update command.

7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Mitigation Follow the instructions in WAGOs handbook Cyber Security for Controller Restrict network access to the device. Do not directly connect the device to the internet
Vendor Fix Use strong passwords for all user accounts, especially for administrative user accounts on the device.
CVE-2019-5157

An exploitable command injection vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject OS commands into the TimeoutUnconfirmed parameter value contained in the Firmware Update command.

7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Mitigation Follow the instructions in WAGOs handbook Cyber Security for Controller Restrict network access to the device. Do not directly connect the device to the internet
Vendor Fix Use strong passwords for all user accounts, especially for administrative user accounts on the device.
CVE-2019-5155

An exploitable command injection vulnerability exists in the cloud connectivity feature of WAGO PFC200. An attacker can inject operating system commands into any of the parameter values contained in the firmware update command. This affects WAGO PFC200 Firmware version 03.02.02(14), version 03.01.07(13), and version 03.00.39(12)

7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Mitigation Follow the instructions in WAGOs handbook Cyber Security for Controller Restrict network access to the device. Do not directly connect the device to the internet
Vendor Fix Use strong passwords for all user accounts, especially for administrative user accounts on the device.
References
Acknowledgments
CERT@VDE
Cisco Talos Kelly Leuschner
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      },
      {
        "names": [
          "Kelly Leuschner"
        ],
        "organization": "Cisco Talos",
        "summary": "discovered"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The Cloud Connectivity of the WAGO PLCs is used to connect the device with the cloud services from different providers. It also supports maintenance functionality with the firmware update function from the WAGO cloud.\nAn attacker needs an authorized login with administrative privileges on the device in order to exploit the mentioned vulnerabilities.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "These vulnerabilities allow an attacker which has admin privileges, an Azure cloud account and access to the device to redirect the cloud connection. With thus he is able to get sensitive data.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Follow the instructions in WAGOs handbook Cyber Security for Controller \n Restrict network access to the device. \n Do not directly connect the device to the internet",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@wago.com",
      "name": "WAGO GmbH \u0026 Co. KG",
      "namespace": "https://www.wago.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "WAGO GmbH \u0026 Co. KG",
        "url": "https://www.wago.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories",
        "url": "https://certvde.com/en/advisories/vendor/wago/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-008: WAGO: Cloud Connectivity Multiple Vulnerabilities - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2020-008/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-008: WAGO: Cloud Connectivity Multiple Vulnerabilities - CSAF",
        "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-008.json"
      }
    ],
    "title": "WAGO: Cloud Connectivity Multiple Vulnerabilities",
    "tracking": {
      "aliases": [
        "VDE-2020-008"
      ],
      "current_release_date": "2025-05-14T12:53:43.000Z",
      "generator": {
        "date": "2025-01-27T08:50:37.901Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.16"
        }
      },
      "id": "VDE-2020-008",
      "initial_release_date": "2020-03-09T09:15:00.000Z",
      "revision_history": [
        {
          "date": "2020-03-09T09:15:00.000Z",
          "number": "1",
          "summary": "initial revision"
        },
        {
          "date": "2025-05-14T12:53:43.000Z",
          "number": "2",
          "summary": "Fix: version space, added distribution"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "750-81xx/xxx-xxx (PFC100)",
                "product": {
                  "name": "750-81xx/xxx-xxx (PFC100)",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "750-81xx/xxx-xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "750-82xx/xxx-xxx (PFC200)",
                "product": {
                  "name": "750-82xx/xxx-xxx (PFC200)",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "750-82xx/xxx-xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "762-4xxx",
                "product": {
                  "name": "762-4xxx",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "762-4xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "762-5xxx",
                "product": {
                  "name": "762-5xxx",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "762-5xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "762-6xxx",
                "product": {
                  "name": "762-6xxx",
                  "product_id": "CSAFPID-11005",
                  "product_identification_helper": {
                    "model_numbers": [
                      "762-6xxx"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003e=FW11",
                "product": {
                  "name": "Firmware \u003e=FW11",
                  "product_id": "CSAFPID-21001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "WAGO GmbH \u0026 Co. KG"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ],
        "summary": "Affected Products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003e=FW11 installed on 750-81xx/xxx-xxx (PFC100)",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003e=FW11 installed on 750-82xx/xxx-xxx (PFC200)",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003e=FW11 installed on 762-4xxx",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003e=FW11 installed on 762-5xxx",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003e=FW11 installed on 762-6xxx",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11005"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-5160",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "description",
          "text": "An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Follow the instructions in WAGOs handbook Cyber Security for Controller \n Restrict network access to the device. \n Do not directly connect the device to the internet",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.1,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "temporalScore": 9.1,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005"
          ]
        }
      ],
      "title": "CVE-2019-5160"
    },
    {
      "cve": "CVE-2019-5156",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject operating system commands into the TimeoutPrepared parameter value contained in the firmware update command.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Follow the instructions in WAGOs handbook Cyber Security for Controller \n Restrict network access to the device. \n Do not directly connect the device to the internet",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.2,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 7.2,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005"
          ]
        }
      ],
      "title": "CVE-2019-5156"
    },
    {
      "cve": "CVE-2019-5157",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An exploitable command injection vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject OS commands into the TimeoutUnconfirmed parameter value contained in the Firmware Update command.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Follow the instructions in WAGOs handbook Cyber Security for Controller \n Restrict network access to the device. \n Do not directly connect the device to the internet",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.2,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 7.2,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005"
          ]
        }
      ],
      "title": "CVE-2019-5157"
    },
    {
      "cve": "CVE-2019-5155",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An exploitable command injection vulnerability exists in the cloud connectivity feature of WAGO PFC200. An attacker can inject operating system commands into any of the parameter values contained in the firmware update command. This affects WAGO PFC200 Firmware version 03.02.02(14), version 03.01.07(13), and version 03.00.39(12)",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Follow the instructions in WAGOs handbook Cyber Security for Controller \n Restrict network access to the device. \n Do not directly connect the device to the internet",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Use strong passwords for all user accounts, especially for administrative user accounts on the device.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.2,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 7.2,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005"
          ]
        }
      ],
      "title": "CVE-2019-5155"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.