Multiple vulnerabilities in WAGO PLCs

Severe vulnerabilities have been identified in WAGO PFC200 and PFC100 programmable logic controllers, which, if exploited, could allow attackers to execute arbitrary code or cause denial of service. The vulnerabilities are caused by flaws in the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers.

All in all, nine vulnerabilities were identified, for six of which the highest possible CVSS v3.0 base score of 10 was calculated.

Three of the vulnerabilities (CVE-2019-5077, CVE-2019-5078, CVE-2019-5080) are caused by missing authentication for critical functions. By sending specially crafted packets, attackers can cause a denial-of-service condition, resulting in the device entering an error state in which it ceases all network communications. These vulnerabilities have a CVSS v3.0 base score of 10.

Another five vulnerabilities are caused by improper operations on a memory buffer and could lead to arbitrary code execution:

• classical buffer overflow flaws (CVE-2019-5079, CVE-2019-5081, CVE-2019-5082), each having a CVSS v3.0 base score of 10.
• vulnerabilities caused by buffer access with incorrect length value (CVE-2019-5074, CVE-2019-5075). A CVSS v3.0 base score of 9.8 was calculated for these vulnerabilities.

Finally, CVE-2019-5073 has to do with information exposure through sent data. A specially crafted set of packets could cause a failure, resulting in uninitialized stack data being copied to the response packet buffer. A CVSS v3.0 base score of 5.3 was calculated for this vulnerability.

The vendor has released firmware updates that fix some of the vulnerabilities (CVE-2019-5073, CVE-2019-5074, CVE-2019-5075, CVE-2019-5079, CVE-2019-5081, CVE-2019-5082).

To reduce the risk of vulnerability exploitation, the vendor recommends using the I/O-Check protocol only during installation and setup. After the system has been commissioned, the protocol should be disabled and port 6626 closed.

Source: Cisco Talos