VDE-2021-050
Vulnerability from csaf_wagogmbhcokg - Published: 2021-11-16 11:02 - Updated: 2021-11-16 11:02Summary
WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack.
Severity
Critical
Notes
Summary: Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.
For additional information please consult the official Siemens advisory:
• Advisory SSA-044112
Impact: The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.
WAGO devices are not affected by CVE-2021-31885.
Vulnerable to all vulnerabilities listed above:
750-829, 750-831/000-00x, 750-852, 750-880/0xx-xxx, 750-881, 750-882, 750-885/0xx-xxx, 750-889, 750-331, 750-352/xxx-xxx
Vulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:
750-823, 750-832/000-00x, 750-862, 750-890/0xx-xxx, 750-891, 750-893, 750-332, 750-362/xxx-xxx, 750-363/xxx-xxx, 750-364/xxx-xxx, 750-365/xxx-xxx
Mitigation: 1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Remediation: For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004)
5.3 (Medium)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008)
7.5 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011)
7.5 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013)
7.5 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014)
9.8 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0010)
9.8 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0016)
8.8 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018)
8.8 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
Medigate
Yuval Halaban
Uriel Malin
Tal Zohar
Forescout Technologies
Daniel dos Santos
Amine Amri
Stanislav Dashevskyi
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Yuval Halaban",
"Uriel Malin",
"Tal Zohar"
],
"organization": "Medigate",
"summary": "reporting"
},
{
"names": [
"Daniel dos Santos",
"Amine Amri",
"Stanislav Dashevskyi"
],
"organization": "Forescout Technologies",
"summary": "reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.\nFor additional information please\u00a0consult the official Siemens advisory:\n\u2022 Advisory\u00a0SSA-044112",
"title": "Summary"
},
{
"category": "description",
"text": "The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.\nWAGO devices are not affected by CVE-2021-31885.\nVulnerable to all vulnerabilities listed above:\n750-829, 750-831/000-00x, 750-852, 750-880/0xx-xxx, 750-881, 750-882, 750-885/0xx-xxx, 750-889, 750-331, 750-352/xxx-xxx\nVulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:\n750-823, 750-832/000-00x, 750-862, 750-890/0xx-xxx, 750-891, 750-893, 750-332, 750-362/xxx-xxx, 750-363/xxx-xxx, 750-364/xxx-xxx, 750-365/xxx-xxx",
"title": "Impact"
},
{
"category": "description",
"text": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"title": "Mitigation"
},
{
"category": "description",
"text": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2021-050: WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. - HTML",
"url": "https://certvde.com/en/advisories/VDE-2021-050/"
},
{
"category": "self",
"summary": "VDE-2021-050: WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-050.json"
},
{
"category": "external",
"summary": "WAGO PSIRT",
"url": "https://www.wago.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/wago/"
}
],
"title": "WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack.",
"tracking": {
"aliases": [
"VDE-2021-050"
],
"current_release_date": "2021-11-16T11:02:00.000Z",
"generator": {
"date": "2025-06-16T07:25:47.768Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.27"
}
},
"id": "VDE-2021-050",
"initial_release_date": "2021-11-16T11:02:00.000Z",
"revision_history": [
{
"date": "2021-11-16T11:02:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "750-331",
"product": {
"name": "750-331",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "750-332",
"product": {
"name": "750-332",
"product_id": "CSAFPID-11002"
}
},
{
"category": "product_name",
"name": "750-352/xxx-xxx",
"product": {
"name": "750-352/xxx-xxx",
"product_id": "CSAFPID-11003"
}
},
{
"category": "product_name",
"name": "750-362/xxx-xxx",
"product": {
"name": "750-362/xxx-xxx",
"product_id": "CSAFPID-11004"
}
},
{
"category": "product_name",
"name": "750-363/xxx-xxx",
"product": {
"name": "750-363/xxx-xxx",
"product_id": "CSAFPID-11005"
}
},
{
"category": "product_name",
"name": "750-364/xxx-xxx",
"product": {
"name": "750-364/xxx-xxx",
"product_id": "CSAFPID-11006"
}
},
{
"category": "product_name",
"name": "750-365/xxx-xxx",
"product": {
"name": "750-365/xxx-xxx",
"product_id": "CSAFPID-11007"
}
},
{
"category": "product_name",
"name": "750-823",
"product": {
"name": "750-823",
"product_id": "CSAFPID-11008"
}
},
{
"category": "product_name",
"name": "750-829",
"product": {
"name": "750-829",
"product_id": "CSAFPID-11009"
}
},
{
"category": "product_name",
"name": "750-831/000-00x",
"product": {
"name": "750-831/000-00x",
"product_id": "CSAFPID-11010"
}
},
{
"category": "product_name",
"name": "750-832/000-00x",
"product": {
"name": "750-832/000-00x",
"product_id": "CSAFPID-11011"
}
},
{
"category": "product_name",
"name": "750-852",
"product": {
"name": "750-852",
"product_id": "CSAFPID-11012"
}
},
{
"category": "product_name",
"name": "750-862",
"product": {
"name": "750-862",
"product_id": "CSAFPID-11013"
}
},
{
"category": "product_name",
"name": "750-880/0xx-xxx",
"product": {
"name": "750-880/0xx-xxx",
"product_id": "CSAFPID-11014"
}
},
{
"category": "product_name",
"name": "750-881",
"product": {
"name": "750-881",
"product_id": "CSAFPID-11015"
}
},
{
"category": "product_name",
"name": "750-882",
"product": {
"name": "750-882",
"product_id": "CSAFPID-11016"
}
},
{
"category": "product_name",
"name": "750-885/0xx-xxx",
"product": {
"name": "750-885/0xx-xxx",
"product_id": "CSAFPID-11017"
}
},
{
"category": "product_name",
"name": "750-889",
"product": {
"name": "750-889",
"product_id": "CSAFPID-11018"
}
},
{
"category": "product_name",
"name": "750-890/0xx-xxx",
"product": {
"name": "750-890/0xx-xxx",
"product_id": "CSAFPID-11019"
}
},
{
"category": "product_name",
"name": "750-891",
"product": {
"name": "750-891",
"product_id": "CSAFPID-11020"
}
},
{
"category": "product_name",
"name": "750-893",
"product": {
"name": "750-893",
"product_id": "CSAFPID-11021"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=FW16",
"product": {
"name": "Firmware \u003c=FW16",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version_range",
"name": "\u003c=FW09",
"product": {
"name": "Firmware \u003c=FW09",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version_range",
"name": "\u003c=FW14",
"product": {
"name": "Firmware \u003c=FW14",
"product_id": "CSAFPID-21003"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
],
"summary": "Affected products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-331",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-332",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-352/xxx-xxx",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-362/xxx-xxx",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-363/xxx-xxx",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-364/xxx-xxx",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-365/xxx-xxx",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-823",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-829",
"product_id": "CSAFPID-31009"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW14 installed on 750-831/000-00x",
"product_id": "CSAFPID-31010"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11010"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-832/000-00x",
"product_id": "CSAFPID-31011"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-852",
"product_id": "CSAFPID-31012"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-862",
"product_id": "CSAFPID-31013"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11013"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-880/0xx-xxx",
"product_id": "CSAFPID-31014"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11014"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-881",
"product_id": "CSAFPID-31015"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11015"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-882",
"product_id": "CSAFPID-31016"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11016"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-885/0xx-xxx",
"product_id": "CSAFPID-31017"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11017"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-889",
"product_id": "CSAFPID-31018"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11018"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-890/0xx-xxx",
"product_id": "CSAFPID-31019"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11019"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-891",
"product_id": "CSAFPID-31020"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11020"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-893",
"product_id": "CSAFPID-31021"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11021"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-31344",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0), SIMOTICS CONNECT 400 (All versions \u003c V1.0.0.0). ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31344"
},
{
"cve": "CVE-2021-31345",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31345"
},
{
"cve": "CVE-2021-31346",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0), SIMOTICS CONNECT 400 (All versions \u003c V1.0.0.0). The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31346"
},
{
"cve": "CVE-2021-31881",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303). When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31881"
},
{
"cve": "CVE-2021-31882",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303). The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31882"
},
{
"cve": "CVE-2021-31883",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303). When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31883"
},
{
"cve": "CVE-2021-31884",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). The DHCP client application assumes that the data supplied with the \u201cHostname\u201d DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31884"
},
{
"cve": "CVE-2021-31886",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). FTP server does not properly validate the length of the \u201cUSER\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0010)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31886"
},
{
"cve": "CVE-2021-31887",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). FTP server does not properly validate the length of the \u201cPWD/XPWD\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0016)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31887"
},
{
"cve": "CVE-2021-31888",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). FTP server does not properly validate the length of the \u201cMKD/XMKD\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31888"
},
{
"cve": "CVE-2021-31889",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0). Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31889"
},
{
"cve": "CVE-2021-31890",
"cwe": {
"id": "CWE-240",
"name": "Improper Handling of Inconsistent Structural Elements"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0), SIMOTICS CONNECT 400 (All versions \u003c V1.0.0.0). The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31890"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…