VDE-2020-015
Vulnerability from csaf_wagogmbhcokg - Published: 2020-06-10 08:00 - Updated: 2020-06-10 08:00Summary
WAGO: Web Based Management - Code Execution Vulnerability
Notes
Summary: The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.
An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.
Impact: Based on the described issue, an authenticated attacker is able to install software packages with extended rights. This is an intended functionality to provide the user with a convenient way to install software on the device.
Remediation: In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.
Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2
Mitigation: Use strong passwords for administrative accounts on the device
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet
An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
9.1 (Critical)
Vendor Fix
In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.
Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2
Mitigation
Use strong passwords for administrative accounts on the device
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet
References
Acknowledgments
CERT@VDE
Cisco Talos
Kelly Leuschner
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination"
},
{
"names": [
"Kelly Leuschner"
],
"organization": "Cisco Talos",
"summary": "reported"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates. \n\nAn attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.\n\n An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.",
"title": "Summary"
},
{
"category": "description",
"text": "Based on the described issue, an authenticated attacker is able to install software packages with extended rights. This is an intended functionality to provide the user with a convenient way to install software on the device.",
"title": "Impact"
},
{
"category": "description",
"text": "In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.\n\n Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2",
"title": "Remediation"
},
{
"category": "description",
"text": "Use strong passwords for administrative accounts on the device\nFollow the instructions in WAGOs handbook Cyber Security for Controller\nRestrict network access to the device.\nDo not directly connect the device to the internet",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO",
"url": "https://certvde.com/en/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2020-015: WAGO: Web Based Management - Code Execution Vulnerability - HTML",
"url": "https://certvde.com/de/advisories/VDE-2020-015/"
},
{
"category": "self",
"summary": "VDE-2020-015: WAGO: Web Based Management - Code Execution Vulnerability - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-015.json"
}
],
"title": "WAGO: Web Based Management - Code Execution Vulnerability",
"tracking": {
"aliases": [
"VDE-2020-015"
],
"current_release_date": "2020-06-10T08:00:00.000Z",
"generator": {
"date": "2025-01-15T13:54:25.657Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.16"
}
},
"id": "VDE-2020-015",
"initial_release_date": "2020-06-10T08:00:00.000Z",
"revision_history": [
{
"date": "2020-06-10T08:00:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "PFC100",
"product": {
"name": "PFC100",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"750-81xx/xxx-xxx"
]
}
}
},
{
"category": "product_name",
"name": "PFC200",
"product": {
"name": "PFC200",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"750-82xx/xxx-xxx"
]
}
}
},
{
"category": "product_name",
"name": "762-4xxx",
"product": {
"name": "762-4xxx",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"762-4xxx"
]
}
}
},
{
"category": "product_name",
"name": "762-5xxx",
"product": {
"name": "762-5xxx",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"762-5xxx"
]
}
}
},
{
"category": "product_name",
"name": "762-6xxx",
"product": {
"name": "762-6xxx",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"762-6xxx"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_name",
"name": "03.04.10(FW16)",
"product": {
"name": "Firmware 03.04.10(FW16)",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version_range",
"name": "\u003c03.04.10(FW16)",
"product": {
"name": "Firmware \u003c03.04.10(FW16)",
"product_id": "CSAFPID-21001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c03.04.10(FW16) installed on PFC100",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c03.04.10(FW16) installed on PFC200",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c03.04.10(FW16) installed on 762-4xxx",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c03.04.10(FW16) installed on 762-5xxx",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c03.04.10(FW16) installed on 762-6xxx",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 03.04.10(FW16) installed on PFC100",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 03.04.10(FW16) installed on PFC200",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 03.04.10(FW16) installed on 762-4xxx",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 03.04.10(FW16) installed on 762-5xxx",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 03.04.10(FW16) installed on 762-6xxx",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-6090",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"notes": [
{
"category": "description",
"text": "An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.\n\n Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2",
"group_ids": [
"CSAFGID-0001"
],
"product_ids": [
"CSAFPID-11001",
"CSAFPID-11002",
"CSAFPID-11003"
]
},
{
"category": "mitigation",
"details": "Use strong passwords for administrative accounts on the device\nFollow the instructions in WAGOs handbook Cyber Security for Controller\nRestrict network access to the device.\nDo not directly connect the device to the internet",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-11001",
"CSAFPID-11002",
"CSAFPID-11003"
]
}
],
"title": "CVE-2020-6090"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…