WAGO GmbH & Co., is a German company that includes a business division that sells automation components used in critical manufacturing and process industries. Earlier this year, the research team at Cisco Talos uncovered a number of vulnerabilities in WAGO's e!Cockpit integrated development environment and in its PFC100 and PFC200 automation controllers. After Cisco's initial report in March, its Talos team published a follow-up report in October, which included more detailed information on the vulnerabilities and their impact.
The vulnerabilities varied in severity and type, including memory corruption flaws, the discovery of hard-coded encryption keys in the software, cleartext transmission of network communications, authentication and information disclosure vulnerabilities, denial-of-service vulnerabilities, and command injection flaws which could allow an attacker already on the PFC200 device to run commands.
Given the ubiquity of the Linux-based WAGO devices across industries and critical processes, researchers—including Claroty's research team—continually evaluate the security of these proprietary products.
Today, Team82 is publicly disclosing a newly discovered remote command injection vulnerability in the WAGO I/O-Check service protocol. The vulnerability has been issued CVE-2020-12522; CERT@VDE today released an advisory, rating the severity of the vulnerability at 10.0, its highest severity score. This critical flaw would allow an attacker with network access to send crafted packets to the WAGO device and execute code.
The vulnerability affects all firmware versions up to and including FW10. A Shodan search reveals hundreds of these devices are connected to the internet; it's unknown how many of them are running vulnerable firmware versions, since Shodan does not always reveal product or firmware version numbers.
The affected products include: Series PFC100 (750-81xx), Series PFC200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), and Series Wago Touch Panel 600 Marine Line (762-6xxx).
Network managers and operators are advised to upgrade firmware in the WAGO devices to current levels; the vulnerability was fixed in version FW11, released in December 2017. It is likely that many devices are still running vulnerable versions of the affected firmware, and asset owners have likely been unaware of the risk until today's disclosure. It is also likely the company found the vulnerability internally and patched it in 2017.
CERT@VDE recommends as a mitigation that the I/O-Check service protocol be disabled after the product is installed and commissioned. "This is the easiest and (most secure) way to protect your device from the listed vulnerabilities," the advisory says. Other mitigations including restricting network access to the device and avoiding connecting the device directly to the internet.
Claroty researchers built on the previous work done by Cisco Talos to uncover this remote code execution vulnerability.
Specifically, Talos looked at the WAGO PFC200 firmware version 03.02.02(14) and found its command injection flaw in the iocheckd service. Talos said that an attacker must first have established a foothold on the device in order to be able to exploit this vulnerability which requires write privileges. By writing a crafted XML cache file to a location on the device, it could be used to inject OS commands. An attacker could follow that up with malicious packets sent to the device in order to trigger parsing of the cache file. The cache file is used to perform some network configuration duties, and is globally writable, according to Talos.
As the cache file is parsed, Talos said in March, each parameter can be used to inject commands that will run as root; an attacker on the device will be able to do so and elevate privileges to root. An attacker can write their malicious XML file to /tmp/iocheckCache.xml and trigger its parsing with a malicious packet.
Claroty's research started on an earlier version, 2.0.07. The researchers discovered that the management protocol for the WAGO PFC200 runs on TCP port 6626 during initial setup and configuration. The protocol is active by default and remains open after initial configuration.
Claroty's research uncovered that in previous versions (<=FW10), the iocheckd binary that parses the device's management protocol failed to sanitize the configuration parameters, which can lead to remote command execution on the device. The vulnerability is trivial to exploit using a single, specifically crafted TCP packet without authentication in order to run code remotely and either disrupt or manipulate the device.
The fix for both vulnerabilities verifies the hostname before writing to the cache and/or executing the change hostname command.
Claroty has developed a Snort rule that it is sharing with the community that will detect this vulnerability inside industrial environments:
Claroty would also like to thank Talos researcher Kelly Leuschner and her team for its cooperation as we looked deeper into these issues.
CWE-749 Exposed Dangerous Method or Function
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
CWE-288: Authentication Bypass Using an Alternative Path or Channel
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
The vulnerability is caused by the using deprecated deserialization functions and/or classes such as BinaryFormatter in the zenon internal graphic utility DLLs.
CVSS V3: 6.3
The vulnerability is caused by the default directory permissions for the Zenon Projects directory in the engineering studio default workspace. By allowing access to all the users on the system, the attacker may alter the zenon project itself to load arbitrary zenon projects in the zenon runtime.
CVSS V3: 5.9
Code Execution through overwriting service executable in utilities directory. The vulnerability is caused by the weakly configured default directory permission for the ABB Utilities directory.
CVSS V3: 7.0