Headline
CVE-2019-18202: VDE-2019-017 | CERT@VDE
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
2019-09-18 13:25 (CEST) VDE-2019-017
WAGO: Series PFC100/PFC200 Information Disclosure
Share: Email | Twitter
Published
2019-09-18 13:25 (CEST)
Last update
2019-09-18 13:25 (CEST)
Vendor(s)
WAGO GmbH & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
750-81xx/xxx-xxx (PFC100)
< FW12
750-82xx/xxx-xxx (PFC200)
< FW12
Summary
The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations.
Update, 18.9.2019, 18:30
- fixed typo in modelname, replaced PCF with PFC
CVE ID
Last Update:
18. Februar 2020 12:25
Severity
Weakness
Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
Summary
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
Details
Impact
The vulnerability allows an attacker to check the existence of files via specially crafted HTTP requests. This can be potentially used to identify installed software and leak of sensitive data (e.g. session data stored in the file system).
Solution
Update your device to the latest firmware (>= FW 12).
Mitigation
- Restrict network access to the web server.
- Restrict network access to the device.
- Do not directly connect the device to the internet.
Reported by
This vulnerability was reported by Nico Jansen (Fachhochschule Aachen) to WAGO coordinated by CERT@VDE.