VDE-2020-020

Vulnerability from csaf_wagogmbhcokg - Published: 2020-06-10 10:00 - Updated: 2025-05-14 12:28
Summary
WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597
Notes
Summary: WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware. The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.
Impact: By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. IOActive Security Advisory external link
Remediation: If pppd daemon is activated, update the device to firmware 16.
CVE-2020-8597

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Vendor Fix If pppd daemon is activated, update the device to firmware 16.
References
Acknowledgments
CERT@VDE
BSI
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      },
      {
        "organization": "BSI",
        "summary": "reported"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.\n\nThe reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. IOActive Security Advisory external link ",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "If pppd daemon is activated, update the device to firmware 16.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@wago.com",
      "name": "WAGO GmbH \u0026 Co. KG",
      "namespace": "https://www.wago.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for WAGO",
        "url": "https://certvde.com/en/advisories/vendor/wago/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-020: WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597 - HTML",
        "url": "https://certvde.com/de/advisories/VDE-2020-020/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-020: WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597 - CSAF",
        "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-020.json"
      }
    ],
    "title": "WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597",
    "tracking": {
      "aliases": [
        "VDE-2020-020"
      ],
      "current_release_date": "2025-05-14T12:28:19.000Z",
      "generator": {
        "date": "2024-09-25T15:24:11.542Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.12"
        }
      },
      "id": "VDE-2020-020",
      "initial_release_date": "2020-06-10T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2020-06-10T10:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2024-11-06T11:27:01.000Z",
          "number": "2",
          "summary": "Fix: correct certvde domain, added alias, added self-reference"
        },
        {
          "date": "2025-05-14T12:28:19.000Z",
          "number": "3",
          "summary": "Fix: firmware category, version space, added distribution"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cFW16",
                "product": {
                  "name": "WAGO Software \u003cFW16",
                  "product_id": "CSAFPID-21003"
                }
              },
              {
                "category": "product_version",
                "name": "FW16",
                "product": {
                  "name": "WAGO Software FW16",
                  "product_id": "CSAFPID-22004"
                }
              }
            ],
            "category": "product_family",
            "name": "Software"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "PFC100",
                "product": {
                  "name": "WAGO Hardware PFC100",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "750-81xx/xxx-xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "PFC200",
                "product": {
                  "name": "WAGO Hardware PFC200",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "750-82xx/xxx-xxx"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          }
        ],
        "category": "vendor",
        "name": "WAGO"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Software \u003cFW16 installed on Hardware PFC100",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Software \u003cFW16 installed on Hardware PFC200",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Software FW16 installed on WAGO Hardware PFC100",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22004",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Software FW16 installed on WAGO Hardware PFC200",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22004",
        "relates_to_product_reference": "CSAFPID-11002"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8597",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "If pppd daemon is activated, update the device to firmware 16.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002"
          ]
        }
      ],
      "title": "CVE-2020-8597"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.