17 June 2019

Critical vulnerabilities in WAGO industrial switches

Dangerous vulnerabilities have been identified in WAGO industrial switch models 852-303, 852-1305, and 852-1505. If successfully exploited, these vulnerabilities could allow the remote compromise of the managed switch, resulting in disruption of communication and root access to the operating system.

The most dangerous of the vulnerabilities, which were assigned a CVSS v.3 base score of 9.8, have to do with data being hard-coded into switch firmware.

One of these vulnerabilities (CVE-2019-12550), is due to the use of hard-coded credentials. An attacker with access to such credentials may gain access to the operating system of the managed switch with root privileges and perform various malicious manipulations, such as modifying settings, deleting applications or implanting malicious code.

The second of the critical vulnerabilities (CVE-2019-12549) has to do with private SSH keys being hard-coded into switch firmware. An attacker who is able to gain access to these keys may disrupt communication or compromise the device. Importantly, the SSH keys cannot be regenerated by users and all switches use the same key.

Additionally, these products use outdated third-party components, BusyBox UNIX and GNU C Library (glibc), affected by multiple vulnerabilities.

The vendor has fixed all of the above vulnerabilities in new firmware versions:

  • for WAGO 852-303 – 1.2.2.S0 and later;
  • for WAGO 852-1305 – 1.1.6.S0 and later;
  • for WAGO 852-1505 – 1.1.5.S0 and later.

Sources: ICS-CERT, CERT VDE