Headline
CVE-2023-1698: VDE-2023-007 | CERT@VDE
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.
2023-05-15 10:00 (CEST) VDE-2023-007
WAGO: Unauthenticated command execution via Web-based-management
Share: Email | Twitter
Published
2023-05-15 10:00 (CEST)
Last update
2023-05-08 16:11 (CEST)
Vendor(s)
WAGO GmbH & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
751-9301
Compact Controller CC100
FW20 <= FW22
751-9301
Compact Controller CC100
= FW23
752-8303/8000-002
Edge Controller
= FW22
750-81xx/xxx-xxx
PFC100
FW20 <= FW22
750-81xx/xxx-xxx
PFC100
= FW23
750-82xx/xxx-xxx
PFC200
FW20 <= FW22
750-82xx/xxx-xxx
PFC200
= FW23
762-5xxx
Touch Panel 600 Advanced Line
= FW22
762-6xxx
Touch Panel 600 Marine Line
= FW22
762-4xxx
Touch Panel 600 Standard Line
= FW22
Summary
The “legal information” plugin of web-based-management contained a vulnerability which allowed execution of arbitrary commands with privileges of www user.
CVE ID
Last Update:
May 4, 2023, 9:18 a.m.
Severity
Weakness
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78)
Summary
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.
Details
Impact
Exploiting the vulnerability provides arbitrary command execution with privileges of the ‘www’ user. Via this flaw an attacker can change device configuration, create users or even take over the system.
Solution
Mitigation
As general security measures strongly WAGO recommends:
- Use general security best practices to protect systems from local and network attacks.
- Do not allow direct access to the device from untrusted networks.
- Update to the latest firmware according to the table in chapter solutions.
- Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy.
The BSI provides general information on securing ICS in the ICS Compendium (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security_compendium.pdf).
Remediation
Wago recommends all effected users to update to the firmware version listed below:
Article No°
Product Name
Fixed Version
751-9301
Compact Controller CC100
FW24
752-8303/8000-002
Edge Controller
FW22 Patch 1 or higher patch level
752-8303/8000-002
Edge Controller
FW24
750-81xx/xxx-xxx
PFC100
FW22 Patch 1 or higher patch level
750-81xx/xxx-xxx
PFC100
FW24
750-82xx/xxx-xxx
PFC200
FW22 Patch 1 or higher patch level
750-82xx/xxx-xxx
PFC200
FW24
762-5xxx
Touch Panel 600 Advanced Line
FW22 Patch 1 or higher patch level
762-5xxx
Touch Panel 600 Advanced Line
FW24
762-6xxx
Touch Panel 600 Marine Line
FW22 Patch 1 or higher patch level
762-6xxx
Touch Panel 600 Marine Line
FW24
762-4xxx
Touch Panel 600 Standard Line
FW22 Patch 1 or higher patch level
762-4xxx
Touch Panel 600 Standard Line
FW24
Reported by
The vulnerability was reported by Quentin Kaiser from ONEKEY.
Coordination done by CERT@VDE.