12 October 2022

KLCERT-22-046: WAGO 750 Controllers. Denial of service of the FTP server

Researcher

Roman Ezhov, Kaspersky Lab

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    12 October 2022

  • Advisory published

    12 October 2022

  • Vendor Informing

    July 2022

Description

Kaspersky Lab has discovered a denial-of-service vulnerability in the WAGO 750 controllers.


Exploitability

Remotely

Attack complexity

Low

User interaction

None

Availability

A complete restart of the device is required to restore its normal operations

Vulnerable ports

21/TCP

Impact

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on devices that incorporate a vulnerable version of the FTP server.

Existence of exploit

Proof-of-Concept

Affected products

The following WAGO products:

  • 750-330 with firmware version FW13 and before
  • 750-332 with firmware version FW10 and before
  • 750-352/xxx-xxx with firmware version FW14 and before
  • 750-362/xxx-xxx with firmware version FW10 and before
  • 750-363/xxx-xxx with firmware version FW10 and before
  • 750-364/xxx-xxx with firmware version FW10 and before
  • 750-365/xxx-xxx with firmware version FW10 and before
  • 750-823 with firmware version FW10 and before
  • 750-829 with firmware version FW13 and before
  • 750-831/xxx-xxx with firmware version FW13 and before
  • 750-832/xxx-xxx with firmware version FW10 and before
  • 750-852 with firmware version FW16 and before
  • 750-862 with firmware version FW10 and before
  • 750-880/xxx-xxx with firmware version FW16 and before
  • 750-881 with firmware version FW16 and before
  • 750-882 with firmware version FW16 and before
  • 750-885/xxx-xxx with firmware version FW16 and before
  • 750-889 with firmware version FW16 and before
  • 750-890/xxx-xxx with firmware version FW10 and before
  • 750-891 with firmware version FW10 and before
  • 750-893 with firmware version FW10 and before

Mitigation

Vendor mitigation

Primary:

WAGO recommend all affected users to update to the firmware version listed below:

Series WAGO 750-3x / -8x
Article Number Fixed in Firmware Version
750-330 Beta FW17 Q1/2023
750-332 FW11 after BACnet certification
750-352/xxx-xxx FW17 Q1/2023
750-362/xxx-xxx FW11 Q1/2023
750-363/xxx-xxx FW11 Q1/2023
750-364/xxx-xxx FW11 Q1/2023
750-365/xxx-xxx FW11 Q1/2023
750-823 FW11 Q1/2023
750-829 Beta FW17 Q1/2023
750-831/xxx-xxx Beta FW17 Q1/2023
750-832/xxx-xxx FW11 after BACnet certification
750-852 FW17 Q1/2023
750-862 FW11 Q1/2023
750-880/xxx-xxx FW17 Q1/2023
750-881 FW17 Q1/2023
750-882 FW17 Q1/2023
750-885/xxx-xxx FW17 Q1/2023
750-889 FW17 Q1/2023
750-890/xxx-xxx FW11 Q1/2023
750-891 FW11 Q1/2023
750-893 FW11 Q1/2023

Generic:

For devices 750-362 – 750-365 and 750-823, 750-862, 750-890 – 750-893 the FTP server is disabled in the default configuration.

If you enabled the FTP Server, but you do not need FTP data transfer, you can deactivate the FTP Server over the product settings in the web-based management. As general security measures strongly WAGO recommends:

  1. Use general security best practices to protect systems from local and network attacks.
  2. Do not allow direct access to the device from untrusted networks.

Update to the latest firmware according to the table in chapter solutions. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].

Kaspersky ICS CERT mitigation

Primary:

Set up the border firewall (or a similar network traffic control solution) to allow only authorized parties to send traffic to port 21/TCP of the system.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees with respect to information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    12 October 2022

  • Advisory published

    12 October 2022

  • Vendor Informing

    July 2022