12 October 2022
KLCERT-22-046: WAGO 750 Controllers. Denial of service of the FTP server
Vendor
-
CVE
-
KLCERT
KLCERT-22-046
Timeline
Timeline
-
Kaspersky ICS CERT advisory published
12 October 2022
-
Advisory published
12 October 2022
-
Vendor Informing
July 2022
Description
Kaspersky Lab has discovered a denial-of-service vulnerability in the WAGO 750 controllers.
Exploitability
Remotely
Attack complexity
User interaction
Availability
A complete restart of the device is required to restore its normal operations
Vulnerable ports
21/TCP
Impact
Existence of exploit
Proof-of-Concept
Affected products
The following WAGO products:
- 750-330 with firmware version FW13 and before
- 750-332 with firmware version FW10 and before
- 750-352/xxx-xxx with firmware version FW14 and before
- 750-362/xxx-xxx with firmware version FW10 and before
- 750-363/xxx-xxx with firmware version FW10 and before
- 750-364/xxx-xxx with firmware version FW10 and before
- 750-365/xxx-xxx with firmware version FW10 and before
- 750-823 with firmware version FW10 and before
- 750-829 with firmware version FW13 and before
- 750-831/xxx-xxx with firmware version FW13 and before
- 750-832/xxx-xxx with firmware version FW10 and before
- 750-852 with firmware version FW16 and before
- 750-862 with firmware version FW10 and before
- 750-880/xxx-xxx with firmware version FW16 and before
- 750-881 with firmware version FW16 and before
- 750-882 with firmware version FW16 and before
- 750-885/xxx-xxx with firmware version FW16 and before
- 750-889 with firmware version FW16 and before
- 750-890/xxx-xxx with firmware version FW10 and before
- 750-891 with firmware version FW10 and before
- 750-893 with firmware version FW10 and before
Mitigation
Vendor mitigation
Primary:
WAGO recommend all affected users to update to the firmware version listed below:
Series WAGO 750-3x / -8x | |
Article Number | Fixed in Firmware Version |
750-330 | Beta FW17 Q1/2023 |
750-332 | FW11 after BACnet certification |
750-352/xxx-xxx | FW17 Q1/2023 |
750-362/xxx-xxx | FW11 Q1/2023 |
750-363/xxx-xxx | FW11 Q1/2023 |
750-364/xxx-xxx | FW11 Q1/2023 |
750-365/xxx-xxx | FW11 Q1/2023 |
750-823 | FW11 Q1/2023 |
750-829 | Beta FW17 Q1/2023 |
750-831/xxx-xxx | Beta FW17 Q1/2023 |
750-832/xxx-xxx | FW11 after BACnet certification |
750-852 | FW17 Q1/2023 |
750-862 | FW11 Q1/2023 |
750-880/xxx-xxx | FW17 Q1/2023 |
750-881 | FW17 Q1/2023 |
750-882 | FW17 Q1/2023 |
750-885/xxx-xxx | FW17 Q1/2023 |
750-889 | FW17 Q1/2023 |
750-890/xxx-xxx | FW11 Q1/2023 |
750-891 | FW11 Q1/2023 |
750-893 | FW11 Q1/2023 |
Generic:
For devices 750-362 – 750-365 and 750-823, 750-862, 750-890 – 750-893 the FTP server is disabled in the default configuration.
If you enabled the FTP Server, but you do not need FTP data transfer, you can deactivate the FTP Server over the product settings in the web-based management. As general security measures strongly WAGO recommends:
- Use general security best practices to protect systems from local and network attacks.
- Do not allow direct access to the device from untrusted networks.
Update to the latest firmware according to the table in chapter solutions. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
Kaspersky ICS CERT mitigation
Primary:
Set up the border firewall (or a similar network traffic control solution) to allow only authorized parties to send traffic to port 21/TCP of the system.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees with respect to information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
Timeline
-
Kaspersky ICS CERT advisory published
12 October 2022
-
Advisory published
12 October 2022
-
Vendor Informing
July 2022