Headline
CVE-2023-5188: VDE-2023-044 | CERT@VDE
The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.
2023-12-05 08:00 (CET) VDE-2023-044
Wago: Vulnerabilities in IEC61850 Server / Telecontrol
Share: Email | Twitter
Published
2023-12-05 08:00 (CET)
Last update
2023-12-04 08:35 (CET)
Vendor(s)
WAGO GmbH & Co. KG
Product(s)
Article No°
Product Name
Affected Version(s)
Telecontrol Configurator
= *
WagoAppRTU
< 1.4.6.0
Summary
The Library WagoAppRTU which is part of the Wago Telecontrol Configurator is prone to improper input validation. By sending specifically crafted MMS packets an attacker can trigger a denial-of-service condition.
CVE ID
Last Update:
Oct. 26, 2023, 11:55 a.m.
Severity
Weakness
Improper Input Validation (CWE-20)
Summary
The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device.
Details
Impact
Affected devices will stop working after receiving specifically crafted packets until restart.
Solution
Mitigation
- Restrict network access to the device.
- Do not directly connect the device to the internet.
Remediation
A fix for WAGO Telecontrol Configurator is contained within the IEC-library WagoAppRTU 1.4.6.0 and available via Wago support. (A new release is planned for the end of the year.)
Reported by
The vulnerability was reported by Sofia Pisani.
Coordination done by CERT@VDE.