VDE-2024-047
Vulnerability from csaf_wagogmbhcokg - Published: 2024-11-18 11:00 - Updated: 2025-05-22 13:03Summary
WAGO: Multiple vulnerabilities in docker configuration
Notes
Summary: Nozomi reported eight vulnerabilities to WAGO affecting different firmwares installed on several devices.
Impact: The identified vulnerabilities could lead to a denial-of-service attack or alter of the firmware and docker configuration.
Remediation: Update to Firmware 4.6.x (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
The Boot mode configuration in the Security tab allows an administrator to change the device's boot mode, determining the firmware location to be executed. This functionality is hidden from regular user profiles in the frontend and is documented as admin-only in the user manual. However, although the Security tab is not visible to regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This enables them to modify the boot mode configuration, potentially causing a denial-of-service attack or altering the firmware upgrade process. A proof-of-concept shows that a user-level session can successfully modify the boot configuration mode through a crafted HTTP request.
8.1 (High)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Remove the linux user "user" from the linux group 'wbmuser' by accessing the controller shell as root and executing the command 'gpasswd -d user wbmuser'. You should check the result with the command 'groups user', which should output 'wbm user'.
The Docker settings within the Configuration tab allow an administrator to enable or disable the Docker service on the device. This functionality is hidden from regular user profiles in the frontend and is documented as an admin-only feature in the user manual. However, although the Docker Settings tab is shown as read-only for regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This allows them to modify the Docker service configuration, potentially causing a denial-of-service attack on certain services within a Docker container. A proof-of-concept demonstrates how a user-level session can successfully modify the Docker settings via an HTTP request.
5.4 (Medium)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Remove the linux user "user" from the linux group 'wbmuser' by accessing the controller shell as root and executing the command 'gpasswd -d user wbmuser'. You should check the result with the command 'groups user', which should output 'wbm user'.
The PLC Runtime Services property in the Configuration tab allows administrators to modify the CODESYS service configuration, enabling engineers to install applications on the PLC device. This functionality is hidden from regular user profiles in the frontend and is documented as admin-only in the user manual. However, despite the PLC Runtime Services tab being inaccessible to regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This allows them to modify the service configuration, potentially disabling the authentication required for the CODESYS V3 service, giving full access to the PLC's application layer. A proof-of-concept demonstrates that a user-level session can successfully modify the PLC Runtime Settings via an HTTP request, disabling CODESYS V3 authentication.
8.8 (High)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Remove the linux user "user" from the linux group 'wbmuser' by accessing the controller shell as root and executing the command 'gpasswd -d user wbmuser'. You should check the result with the command 'groups user', which should output 'wbm user'.
The Network Capture feature in the Diagnostic tab allows administrators to enable or disable the capture of network traffic for diagnostic purposes. Since the Wago PLC device supports unencrypted communication protocols like HTTP and FTP, captured traffic may include sensitive information such as login credentials. According to the user manual, only administrators should have access to download and analyze this data. However, the captured traffic is stored in a publicly readable directory (/var/tmp/pcap) with weak permissions, as shown in the example where the file is saved with -rw-r--r-- permissions. This allows any user with SSH access, including low-privileged users, to read and download the file. The vulnerability allows low-privileged users to bypass access controls, download network traffic data, and extract sensitive information such as administrator credentials, as demonstrated in a proof-of-concept involving a password reset captured via HTTP.
5.7 (Medium)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
The saveretain command in the PLC Shell functionality of the CODESYS framework allows authenticated users to save backup data to a specified file location. However, this functionality does not properly sanitize user input for the <filename> parameter, enabling an attacker to specify arbitrary files on the system using special characters like ../. The specified file is then deleted by the CODESYS server-side daemon, resulting in arbitrary file deletion with root privileges. For example, an attacker can specify a critical file like /etc/passwd as ../../etc/passwd, leading to its deletion and causing a permanent denial-of-service. This vulnerability can be exploited by a low-privileged user who, after bypassing CODESYS authentication using a related vulnerability (NN-2024-0071), gains access to the PLC programming framework.
8.1 (High)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Access to the CODESYS Runtime should be completely restricted, ensuring that no unauthorized interaction or interference with the runtime environment is possible.
The restoresram command in the PLC Shell functionality of the CODESYS framework allows authenticated users to restore the device's memory from a backup file on the system. However, this functionality does not properly sanitize the user input for the <filename> parameter, allowing an attacker to specify arbitrary file paths using special characters like ../. The server-side CODESYS daemon appends the .ret extension to the specified file, so input like ../../etc/passwd becomes /etc/passwd.ret, which doesn't exist.
6.5 (Medium)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Access to the CODESYS Runtime should be completely restricted, ensuring that no unauthorized interaction or interference with the runtime environment is possible.
The savesram command in the PLC Shell functionality of the CODESYS framework allows authenticated users to save the device's memory to a backup file on the system. However, this feature does not properly sanitize the user input for the <filename> parameter, allowing attackers to specify arbitrary file paths using characters like ../. The server-side daemon appends the .ret extension, so an input like ../../etc/passwd becomes /etc/passwd.ret, which doesn't exist.
8.1 (High)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Access to the CODESYS Runtime should be completely restricted, ensuring that no unauthorized interaction or interference with the runtime environment is possible.
The BACNet Configuration property in the Fieldbus tab allows administrators to configure the BACNet service, including enabling, disabling, and modifying its properties. While the web interface correctly restricts low-privileged users by displaying this tab as read-only, as only administrators should be able to change the BACNet service according to the user manual, this restriction is not enforced on the underlying Linux operating system. As a result, an attacker with user-level access can modify the BACNet configuration through an SSH shell, exploiting weak system permissions.
7.1 (High)
Vendor Fix
Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.
Mitigation
Remove the linux user "user" from the linux group "wbmuser".
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Diego Giubertoni"
],
"organization": "Nozomi Networks",
"summary": "reporting",
"urls": [
"https://de.nozominetworks.com/"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Nozomi reported eight vulnerabilities to WAGO affecting different firmwares installed on several devices.",
"title": "Summary"
},
{
"category": "description",
"text": "The identified vulnerabilities could lead to a denial-of-service attack or alter of the firmware and docker configuration.",
"title": "Impact"
},
{
"category": "description",
"text": "Update to Firmware 4.6.x (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "WAGO PSIRT",
"url": "https://www.wago.com/de-en/automation-technology/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO",
"url": "https://certvde.com/de/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2024-047: WAGO: Multiple vulnerabilities in docker configuration - HTML",
"url": "https://certvde.com/en/advisories/VDE-2024-047"
},
{
"category": "self",
"summary": "VDE-2024-047: WAGO: Multiple vulnerabilities in docker configuration - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-047.json"
}
],
"title": "WAGO: Multiple vulnerabilities in docker configuration",
"tracking": {
"aliases": [
"VDE-2024-047"
],
"current_release_date": "2025-05-22T13:03:10.000Z",
"generator": {
"date": "2025-01-29T08:46:03.534Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.17"
}
},
"id": "VDE-2024-047",
"initial_release_date": "2024-11-18T11:00:00.000Z",
"revision_history": [
{
"date": "2024-11-18T11:00:00.000Z",
"number": "1",
"summary": "Initial document."
},
{
"date": "2025-01-30T11:00:00.000Z",
"number": "2",
"summary": "Added known mitigations as remediation. Added the Custom Firmware to the product branch. Added firmware 3.10.11 (Firmware 22 Patch 2) to the fixed products. This version was in revision 1 listed as vulnerable. "
},
{
"date": "2025-02-12T16:48:47.000Z",
"number": "3",
"summary": "Fix: corrected self-reference, fixed version"
},
{
"date": "2025-05-22T13:03:10.000Z",
"number": "4",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "0751/9x01",
"product": {
"name": "WAGO CC100 0751/9x01",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"0751-9?01"
]
}
}
}
],
"category": "product_family",
"name": "CC100"
},
{
"branches": [
{
"category": "product_name",
"name": "0750-810x/xxxx-xxxx",
"product": {
"name": "WAGO PFC100 G1 0750-810x/xxxx-xxxx",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"0750-810?/????-????"
]
}
}
}
],
"category": "product_family",
"name": "PFC100 G1"
},
{
"branches": [
{
"category": "product_name",
"name": "0750-811x/xxxx-xxxx",
"product": {
"name": "WAGO PFC100 G2 0750-811x/xxxx-xxxx",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"0750-811?-????-????"
]
}
}
}
],
"category": "product_family",
"name": "PFC100 G2"
},
{
"branches": [
{
"category": "product_name",
"name": "0750-820x/xxx-xxx",
"product": {
"name": "WAGO PFC200 G1 0750-820x/xxx-xxx",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
" 750-820?-????-????"
]
}
}
}
],
"category": "product_family",
"name": "PFC200 G1"
},
{
"branches": [
{
"category": "product_name",
"name": "0750-821x/xxx-xxx",
"product": {
"name": "WAGO PFC200 G2 0750-821x/xxx-xxx",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"750-821?-????-????"
]
}
}
}
],
"category": "product_family",
"name": "PFC200 G2"
},
{
"branches": [
{
"category": "product_name",
"name": "0762-420x/8000-000x",
"product": {
"name": "WAGO TP600 0762-420x/8000-000x",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"0762-420?/8000-000?"
]
}
}
},
{
"category": "product_name",
"name": "0762-430x/8000-000x",
"product": {
"name": "WAGO TP600 0762-430x/8000-000x",
"product_id": "CSAFPID-11007",
"product_identification_helper": {
"model_numbers": [
"0762-430?/8000-000?"
]
}
}
},
{
"category": "product_name",
"name": "0762-520x/8000-000x",
"product": {
"name": "WAGO TP600 0762-520x/8000-000x",
"product_id": "CSAFPID-11008",
"product_identification_helper": {
"model_numbers": [
"0762-520?/8000-000?"
]
}
}
},
{
"category": "product_name",
"name": "0762-530x/8000-000x",
"product": {
"name": "WAGO TP600 0762-530x/8000-000x",
"product_id": "CSAFPID-11009",
"product_identification_helper": {
"model_numbers": [
"0762-530?/8000-000?"
]
}
}
},
{
"category": "product_name",
"name": "0762-620x/8000-000x",
"product": {
"name": "WAGO TP600 0762-620x/8000-000x",
"product_id": "CSAFPID-11010",
"product_identification_helper": {
"model_numbers": [
"0762-620?/8000-000?"
]
}
}
},
{
"category": "product_name",
"name": "0762-630x/8000-000x",
"product": {
"name": "WAGO TP600 0762-630x/8000-000x",
"product_id": "CSAFPID-11011",
"product_identification_helper": {
"model_numbers": [
"0762-630?/8000-000?"
]
}
}
}
],
"category": "product_family",
"name": "TP600"
},
{
"branches": [
{
"category": "product_name",
"name": "0752-8303/8000-0002",
"product": {
"name": "WAGO Edge Controller 0752-8303/8000-0002",
"product_id": "CSAFPID-11012",
"product_identification_helper": {
"model_numbers": [
"0752-8303/8000-0002"
]
}
}
}
],
"category": "product_family",
"name": "Edge Controller"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=4.5.10",
"product": {
"name": "Firmware \u003c=4.5.10 (FW27)",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_name",
"name": "4.6.1",
"product": {
"name": "Firmware 4.6.1 (FW28)",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version_range",
"name": "\u003c=3.10.10",
"product": {
"name": "Firmware \u003c=3.10.10 (FW22 Patch 1)",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version_range",
"name": "\u003c=04.04.03(70)",
"product": {
"name": "Firmware \u003c=04.04.03(70)",
"product_id": "CSAFPID-21003"
}
},
{
"category": "product_version_range",
"name": "\u003c=04.03.03(72)",
"product": {
"name": "Firmware \u003c=04.03.03(72)",
"product_id": "CSAFPID-21004"
}
},
{
"category": "product_version_range",
"name": "\u003c=03.03.08(80)",
"product": {
"name": "Firmware \u003c=03.03.08(80)",
"product_id": "CSAFPID-21005"
}
},
{
"category": "product_version",
"name": "4.6.1 (70)",
"product": {
"name": "Firmware 4.6.1 (70)",
"product_id": "CSAFPID-22002"
}
},
{
"category": "product_version",
"name": "3.10.11",
"product": {
"name": "Firmware 3.10.11 (FW22 Patch 2)",
"product_id": "CSAFPID-22003"
}
},
{
"category": "product_name",
"name": "4.6.3",
"product": {
"name": "Firmware 4.6.3 (FW28)",
"product_id": "CSAFPID-22004"
}
},
{
"category": "product_name",
"name": "4.6.3 (70)",
"product": {
"name": "Firmware 4.6.3 (70)",
"product_id": "CSAFPID-22005"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO CC100 0751/9x01",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO PFC100 G2 0750-811x/xxxx-xxxx",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO PFC200 G2 0750-821x/xxx-xxx",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO TP600 0762-420x/8000-000x",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO TP600 0762-430x/8000-000x",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO TP600 0762-520x/8000-000x",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO TP600 0762-530x/8000-000x",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO TP600 0762-620x/8000-000x",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11010"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO TP600 0762-630x/8000-000x",
"product_id": "CSAFPID-31009"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=4.5.10 (FW27) installed on WAGO Edge Controller 0752-8303/8000-0002",
"product_id": "CSAFPID-31010"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=3.10.10 (FW22 Patch 1) installed on WAGO PFC100 G1 0750-810x/xxxx-xxxx",
"product_id": "CSAFPID-31011"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=3.10.10 (FW22 Patch 1) installed on WAGO PFC200 G1 0750-820x/xxx-xxx",
"product_id": "CSAFPID-31012"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.3 (FW28) installed on WAGO CC100 0751/9x01",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22004",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO PFC100 G2 0750-811x/xxxx-xxxx",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO PFC200 G2 0750-821x/xxx-xxx",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO TP600 0762-420x/8000-000x",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO TP600 0762-430x/8000-000x",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO TP600 0762-520x/8000-000x",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO TP600 0762-530x/8000-000x",
"product_id": "CSAFPID-32007"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO TP600 0762-620x/8000-000x",
"product_id": "CSAFPID-32008"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11010"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO TP600 0762-630x/8000-000x",
"product_id": "CSAFPID-32009"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (FW28) installed on WAGO Edge Controller 0752-8303/8000-0002",
"product_id": "CSAFPID-32010"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=03.03.08(80) installed on WAGO PFC200 G1 0750-820x/xxx-xxx",
"product_id": "CSAFPID-31013"
},
"product_reference": "CSAFPID-21005",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=04.04.03(70) installed on WAGO PFC200 G2 0750-821x/xxx-xxx",
"product_id": "CSAFPID-31014"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=04.03.03(72) installed on WAGO CC100 0751/9x01",
"product_id": "CSAFPID-31015"
},
"product_reference": "CSAFPID-21004",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=04.04.03(70) installed on WAGO CC100 0751/9x01",
"product_id": "CSAFPID-31016"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.3 (70) installed on WAGO CC100 0751/9x01",
"product_id": "CSAFPID-32011"
},
"product_reference": "CSAFPID-22005",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.6.1 (70) installed on WAGO PFC200 G2 0750-821x/xxx-xxx",
"product_id": "CSAFPID-32012"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 3.10.11 (FW22 Patch 2) installed on WAGO PFC100 G1 0750-810x/xxxx-xxxx",
"product_id": "CSAFPID-32013"
},
"product_reference": "CSAFPID-22003",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 3.10.11 (FW22 Patch 2) installed on WAGO PFC200 G1 0750-820x/xxx-xxx",
"product_id": "CSAFPID-32014"
},
"product_reference": "CSAFPID-22003",
"relates_to_product_reference": "CSAFPID-11004"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-41967",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "description",
"text": "The Boot mode configuration in the Security tab allows an administrator to change the device\u0027s boot mode, determining the firmware location to be executed. This functionality is hidden from regular user profiles in the frontend and is documented as admin-only in the user manual. However, although the Security tab is not visible to regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This enables them to modify the boot mode configuration, potentially causing a denial-of-service attack or altering the firmware upgrade process. A proof-of-concept shows that a user-level session can successfully modify the boot configuration mode through a crafted HTTP request.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "A low privileged user may modify the boot mode configuration setup of the device, eventually leading to a denial-of-service attack.",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Remove the linux user \"user\" from the linux group \u0027wbmuser\u0027 by accessing the controller shell as root and executing the command \u0027gpasswd -d user wbmuser\u0027. You should check the result with the command \u0027groups user\u0027, which should output \u0027wbm user\u0027.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41967"
},
{
"cve": "CVE-2024-41968",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "description",
"text": "The Docker settings within the Configuration tab allow an administrator to enable or disable the Docker service on the device. This functionality is hidden from regular user profiles in the frontend and is documented as an admin-only feature in the user manual. However, although the Docker Settings tab is shown as read-only for regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This allows them to modify the Docker service configuration, potentially causing a denial-of-service attack on certain services within a Docker container. A proof-of-concept demonstrates how a user-level session can successfully modify the Docker settings via an HTTP request.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "A low privileged user may modify the docker settings setup of the device, eventually leading to unexpected behaviors.",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Remove the linux user \"user\" from the linux group \u0027wbmuser\u0027 by accessing the controller shell as root and executing the command \u0027gpasswd -d user wbmuser\u0027. You should check the result with the command \u0027groups user\u0027, which should output \u0027wbm user\u0027.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41968"
},
{
"cve": "CVE-2024-41969",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "description",
"text": "The PLC Runtime Services property in the Configuration tab allows administrators to modify the CODESYS service configuration, enabling engineers to install applications on the PLC device. This functionality is hidden from regular user profiles in the frontend and is documented as admin-only in the user manual. However, despite the PLC Runtime Services tab being inaccessible to regular users, a low-privileged attacker can bypass this by sending a crafted HTTP request with a valid user session. This allows them to modify the service configuration, potentially disabling the authentication required for the CODESYS V3 service, giving full access to the PLC\u0027s application layer. A proof-of-concept demonstrates that a user-level session can successfully modify the PLC Runtime Settings via an HTTP request, disabling CODESYS V3 authentication.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "A low privileged user may modify the PLC Runtime Services setup of the device, modifying the configuration of the CODESYS V3 service dedicated to the PLC application programming. The attacker may in this way disable the CODESYS authentication required to allow just administrator users to program the PLC, leading to an authentication bypass.",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Remove the linux user \"user\" from the linux group \u0027wbmuser\u0027 by accessing the controller shell as root and executing the command \u0027gpasswd -d user wbmuser\u0027. You should check the result with the command \u0027groups user\u0027, which should output \u0027wbm user\u0027.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41969"
},
{
"cve": "CVE-2024-41970",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "description",
"text": "The Network Capture feature in the Diagnostic tab allows administrators to enable or disable the capture of network traffic for diagnostic purposes. Since the Wago PLC device supports unencrypted communication protocols like HTTP and FTP, captured traffic may include sensitive information such as login credentials. According to the user manual, only administrators should have access to download and analyze this data. However, the captured traffic is stored in a publicly readable directory (/var/tmp/pcap) with weak permissions, as shown in the example where the file is saved with -rw-r--r-- permissions. This allows any user with SSH access, including low-privileged users, to read and download the file. The vulnerability allows low-privileged users to bypass access controls, download network traffic data, and extract sensitive information such as administrator credentials, as demonstrated in a proof-of-concept involving a password reset captured via HTTP.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "A low privileged user may have access to forbidden diagnostic data in order to retrieve sensitive information and in the worst-case scenario gather a set of valid administrator credentials in order to elevate his privileges.",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 5.7,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 5.7,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41970"
},
{
"cve": "CVE-2024-41971",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "description",
"text": "The saveretain command in the PLC Shell functionality of the CODESYS framework allows authenticated users to save backup data to a specified file location. However, this functionality does not properly sanitize user input for the \u003cfilename\u003e parameter, enabling an attacker to specify arbitrary files on the system using special characters like ../. The specified file is then deleted by the CODESYS server-side daemon, resulting in arbitrary file deletion with root privileges. For example, an attacker can specify a critical file like /etc/passwd as ../../etc/passwd, leading to its deletion and causing a permanent denial-of-service. This vulnerability can be exploited by a low-privileged user who, after bypassing CODESYS authentication using a related vulnerability (NN-2024-0071), gains access to the PLC programming framework.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "The saveretain command inside the PLC Shell functionality exposed by the CODESYS framework doesn\u0027t correctly sanitize a user-provided input, allowing an attacker to specify an arbitrary file on the filesystem. The result at the end of the command invocation is the deletion of the user \nprovided file, potentially leading to a permanent denial-of-service attack (e.g: deleting the /etc/passwd file on the Linux operating system).",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Access to the CODESYS Runtime should be completely restricted, ensuring that no unauthorized interaction or interference with the runtime environment is possible.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41971"
},
{
"cve": "CVE-2024-41972",
"cwe": {
"id": "CWE-35",
"name": "Path Traversal: \u0027.../...//\u0027"
},
"notes": [
{
"category": "description",
"text": "The restoresram command in the PLC Shell functionality of the CODESYS framework allows authenticated users to restore the device\u0027s memory from a backup file on the system. However, this functionality does not properly sanitize the user input for the \u003cfilename\u003e parameter, allowing an attacker to specify arbitrary file paths using special characters like ../. The server-side CODESYS daemon appends the .ret extension to the specified file, so input like ../../etc/passwd becomes /etc/passwd.ret, which doesn\u0027t exist.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "The restoresram command inside the PLC Shell functionality exposed by the CODESYS framework doesn\u0027t correctly sanitize a user-provided input, allowing an attacker to specify an arbitrary file on the filesystem. The issue may lead to an arbitrary file read with root privileges (e.g: reading the /etc/shadow file on the Linux operating system).",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Access to the CODESYS Runtime should be completely restricted, ensuring that no unauthorized interaction or interference with the runtime environment is possible.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41972"
},
{
"cve": "CVE-2024-41973",
"cwe": {
"id": "CWE-35",
"name": "Path Traversal: \u0027.../...//\u0027"
},
"notes": [
{
"category": "description",
"text": "The savesram command in the PLC Shell functionality of the CODESYS framework allows authenticated users to save the device\u0027s memory to a backup file on the system. However, this feature does not properly sanitize the user input for the \u003cfilename\u003e parameter, allowing attackers to specify arbitrary file paths using characters like ../. The server-side daemon appends the .ret extension, so an input like ../../etc/passwd becomes /etc/passwd.ret, which doesn\u0027t exist.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "The savesram command inside the PLC Shell functionality exposed by the CODESYS framework doesn\u0027t correctly sanitize a user-provided input, allowing an attacker to specify an arbitrary file on the filesystem. The issue may lead to an arbitrary file writes with root privileges (e.g: overwriting the /etc/shadow file on the Linux operating system).",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Access to the CODESYS Runtime should be completely restricted, ensuring that no unauthorized interaction or interference with the runtime environment is possible.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41973"
},
{
"cve": "CVE-2024-41974",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "description",
"text": "The BACNet Configuration property in the Fieldbus tab allows administrators to configure the BACNet service, including enabling, disabling, and modifying its properties. While the web interface correctly restricts low-privileged users by displaying this tab as read-only, as only administrators should be able to change the BACNet service according to the user manual, this restriction is not enforced on the underlying Linux operating system. As a result, an attacker with user-level access can modify the BACNet configuration through an SSH shell, exploiting weak system permissions.",
"title": "Vulnerability Description"
},
{
"category": "other",
"text": "A low privileged user may modify the BACNet service properties due to a weak permission on a configuration file, breaking in this way a specific access control that, as the user manual describes, should ensure that just administrator users have the capability to modify. The chance to modify the BACNet service state (disabling it or changing the listening port) may lead to a denial-of-service attack.",
"title": "Impact"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Firmware 4.6.1 (FW28) or for CC100 devices to 4.6.3 (FW28). For G1 devices update to Firmware 3.10.11 (FW22 Patch 2). For the latest Custom Firmware, please contact the WAGO support.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Remove the linux user \"user\" from the linux group \"wbmuser\".",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016"
]
}
],
"title": "CVE-2024-41974"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…