WAGO GmbH & Co., is a German company that includes a business division that sells automation components used in critical manufacturing and process industries. Earlier this year, the research team at Cisco Talos uncovered a number of vulnerabilities in WAGO's e!Cockpit integrated development environment and in its PFC100 and PFC200 automation controllers. After Cisco's initial report in March, its Talos team published a follow-up report in October, which included more detailed information on the vulnerabilities and their impact.
The vulnerabilities varied in severity and type, including memory corruption flaws, the discovery of hard-coded encryption keys in the software, cleartext transmission of network communications, authentication and information disclosure vulnerabilities, denial-of-service vulnerabilities, and command injection flaws which could allow an attacker already on the PFC200 device to run commands.
Given the ubiquity of the Linux-based WAGO devices across industries and critical processes, researchers—including Claroty's research team—continually evaluate the security of these proprietary products.
Today, Team82 is publicly disclosing a newly discovered remote command injection vulnerability in the WAGO I/O-Check service protocol. The vulnerability has been issued CVE-2020-12522; CERT@VDE today released an advisory, rating the severity of the vulnerability at 10.0, its highest severity score. This critical flaw would allow an attacker with network access to send crafted packets to the WAGO device and execute code.
The vulnerability affects all firmware versions up to and including FW10. A Shodan search reveals hundreds of these devices are connected to the internet; it's unknown how many of them are running vulnerable firmware versions, since Shodan does not always reveal product or firmware version numbers.
The affected products include: Series PFC100 (750-81xx), Series PFC200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), and Series Wago Touch Panel 600 Marine Line (762-6xxx).
Network managers and operators are advised to upgrade firmware in the WAGO devices to current levels; the vulnerability was fixed in version FW11, released in December 2017. It is likely that many devices are still running vulnerable versions of the affected firmware, and asset owners have likely been unaware of the risk until today's disclosure. It is also likely the company found the vulnerability internally and patched it in 2017.
CERT@VDE recommends as a mitigation that the I/O-Check service protocol be disabled after the product is installed and commissioned. "This is the easiest and (most secure) way to protect your device from the listed vulnerabilities," the advisory says. Other mitigations including restricting network access to the device and avoiding connecting the device directly to the internet.
Claroty researchers built on the previous work done by Cisco Talos to uncover this remote code execution vulnerability.
Specifically, Talos looked at the WAGO PFC200 firmware version 03.02.02(14) and found its command injection flaw in the iocheckd service. Talos said that an attacker must first have established a foothold on the device in order to be able to exploit this vulnerability which requires write privileges. By writing a crafted XML cache file to a location on the device, it could be used to inject OS commands. An attacker could follow that up with malicious packets sent to the device in order to trigger parsing of the cache file. The cache file is used to perform some network configuration duties, and is globally writable, according to Talos.
As the cache file is parsed, Talos said in March, each parameter can be used to inject commands that will run as root; an attacker on the device will be able to do so and elevate privileges to root. An attacker can write their malicious XML file to /tmp/iocheckCache.xml and trigger its parsing with a malicious packet.
Claroty's research started on an earlier version, 2.0.07. The researchers discovered that the management protocol for the WAGO PFC200 runs on TCP port 6626 during initial setup and configuration. The protocol is active by default and remains open after initial configuration.
Claroty's research uncovered that in previous versions (<=FW10), the iocheckd binary that parses the device's management protocol failed to sanitize the configuration parameters, which can lead to remote command execution on the device. The vulnerability is trivial to exploit using a single, specifically crafted TCP packet without authentication in order to run code remotely and either disrupt or manipulate the device.
The fix for both vulnerabilities verifies the hostname before writing to the cache and/or executing the change hostname command.
Claroty has developed a Snort rule that it is sharing with the community that will detect this vulnerability inside industrial environments:
Claroty would also like to thank Talos researcher Kelly Leuschner and her team for its cooperation as we looked deeper into these issues.
CVE-2020-12522Related CWE-78: Improper neutralization of special elements used in OS command—This CVE describes a command injection vulnerability in WAGO I/O-Check service, which allows an attacker with network access to the PFC device to remotely execute code with specially crafted packets.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
