Headline

CVE-2023-4089: VDE-2023-046 | CERT@VDE

On affected Wago products an remote attacker with administrative privileges can access files to which he has already access to through an undocumented local file inclusion. This access is logged in a different log file than expected.

1 year ago

CVE

Open in Source

#vulnerability

2023-10-17 08:00 (CEST) VDE-2023-046

WAGO: Multiple products vulnerable to local file inclusion
Share: Email | Twitter

Published

2023-10-17 08:00 (CEST)

Last update

2023-10-13 11:28 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°

Product Name

Affected Version(s)

751-9301

Compact Controller CC100

FW19 <= FW26

752-8303/8000-002

Edge Controller

FW18 <= FW26

750-81xx/xxx-xxx

PFC100

FW16 <= FW26

750-82xx/xxx-xxx

PFC200

FW16 <= FW26

762-5xxx

Touch Panel 600 Advanced Line

FW16 <= FW26

762-6xxx

Touch Panel 600 Marine Line

FW16 <= FW26

762-4xxx

Touch Panel 600 Standard Line

FW16 <= FW26

Summary

An attacker with administrative privileges which can access sensitive files can additionally access them in an unintended, undocumented way.

CVE ID

Last Update:

Oct. 12, 2023, 9:04 a.m.

Severity

Weakness

Externally Controlled Reference to a Resource in Another Sphere (CWE-610)

Summary

Details

Impact

User might not notice that files are accessed.

Solution

Mitigation

As general security measures strongly WAGO recommends:
Use general security best practices to protect systems from local and network
attacks.
Do not allow direct access to the device from untrusted networks.
Update to the latest firmware according to the table in chapter solutions.

Remediation

We recommend all effected users to update to the firmware version listed below:

FW23

Article No.

Product Name

Fixed version (ETA Q2/2024)

751-9301

Compact Controller CC100

FW27

752-8303/8000-002

Edge Controller

750-81xx/xxx-xxx