By Uri Katz | Claroty Research Team | Dec. 17, 2020

 

WAGO GmbH & Co., is a German company that includes a business division that sells automation components used in critical manufacturing and process industries. Earlier this year, the research team at Cisco Talos uncovered a number of vulnerabilities in WAGO’s e!Cockpit integrated development environment and in its PFC100 and PFC200 automation controllers. After Cisco’s initial report in March, its Talos team published a follow-up report in October, which included more detailed information on the vulnerabilities and their impact.

The vulnerabilities varied in severity and type, including memory corruption flaws, the discovery of hard-coded encryption keys in the software, cleartext transmission of network communications, authentication and information disclosure vulnerabilities, denial-of-service vulnerabilities, and command injection flaws which could allow an attacker already on the PFC200 device to run commands.

Given the ubiquity of the Linux-based WAGO devices across industries and critical processes, researchers—including Claroty’s research team—continually evaluate the security of these proprietary products.

Today, Claroty is publicly disclosing a newly discovered remote command injection vulnerability in the WAGO I/O-Check service protocol. The vulnerability has been issued CVE-2020-12522; CERT@VDE today released an advisory, rating the severity of the vulnerability at 10.0, its highest severity score. This critical flaw would allow an attacker with network access to send crafted packets to the WAGO device and execute code.

Silent Fix in 2017 Addressed Firmware Vulnerability

The vulnerability affects all firmware versions up to and including FW10. A Shodan search reveals hundreds of these devices are connected to the internet; it’s unknown how many of them are running vulnerable firmware versions, since Shodan does not always reveal product or firmware version numbers.

The affected products include: Series PFC100 (750-81xx), Series PFC200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), and Series Wago Touch Panel 600 Marine Line (762-6xxx).

Network managers and operators are advised to upgrade firmware in the WAGO devices to current levels; the vulnerability was fixed in version FW11, released in December 2017. It is likely that many devices are still running vulnerable versions of the affected firmware, and asset owners have likely been unaware of the risk until today’s disclosure. It is also likely the company found the vulnerability internally and patched it in 2017.

CERT@VDE recommends as a mitigation that the I/O-Check service protocol be disabled after the product is installed and commissioned. “This is the easiest and (most secure) way to protect your device from the listed vulnerabilities,” the advisory says. Other mitigations including restricting network access to the device and avoiding connecting the device directly to the internet.

Technical Details

Previous Work

Claroty researchers built on the previous work done by Cisco Talos to uncover this remote code execution vulnerability.

Specifically, Talos looked at the WAGO PFC200 firmware version 03.02.02(14) and found its command injection flaw in the iocheckd service. Talos said that an attacker must first have established a foothold on the device in order to be able to exploit this vulnerability which requires write privileges. By writing a crafted XML cache file to a location on the device, it could be used to inject OS commands. An attacker could follow that up with malicious packets sent to the device in order to trigger parsing of the cache file. The cache file is used to perform some network configuration duties, and is globally writable, according to Talos.

As the cache file is parsed, Talos said in March, each parameter can be used to inject commands that will run as root; an attacker on the device will be able to do so and elevate privileges to root. An attacker can write their malicious XML file to /tmp/iocheckCache.xml and trigger its parsing with a malicious packet.

New Findings, Old Firmware

Claroty’s research started on an earlier version, 2.0.07. The researchers discovered that the management protocol for the WAGO PFC200 runs on TCP port 6626 during initial setup and configuration. The protocol is active by default and remains open after initial configuration.

Claroty’s research uncovered that in previous versions (<=FW10), the iocheckd binary that parses the device’s management protocol failed to sanitize the configuration parameters, which can lead to remote command execution on the device. The vulnerability is trivial to exploit using a single, specifically crafted TCP packet without authentication in order to run code remotely and either disrupt or manipulate the device.

Pseudo-code showing the vulnerable code area. The upper part was exploited by Talos while the lower part was exploited by Claroty.

Pseudo-code showing the vulnerable code area. The upper part was exploited by Talos while the lower part was exploited by Claroty.

Fixes & Detections

The fix for both vulnerabilities verifies the hostname before writing to the cache and/or executing the change hostname command.

Claroty has developed a Snort rule that it is sharing with the community that will detect this
vulnerability inside industrial environments:

alert tcp any any -> any 6626 (msg:”Claroty Rule: potential attempt to exploit WAGO network parameters via OS command injection (CVE-2020-12522)”; content:”|88 12|”; offset:0; depth:2; content:”|02 05|”; offset:18; pcre:”/\x02\x05.{4}[\x07-\x08]\x00.{4}.*[ |\;|\&|\|].*/ms”; sid:1001594113; rev:2;)

 

Acknowledgments

Claroty would also like to thank Talos researcher Kelly Leuschner and her team for its cooperation as we looked deeper into these issues.

CVE Details

  • CVE-2020-12522
    Related CWE-78: Improper neutralization of special elements used in OS command
    —This CVE describes a command injection vulnerability in WAGO I/O-Check service, which allows an attacker with network access to the PFC device to remotely execute code with specially crafted packets.