Headline
CVE-2020-6090: TALOS-2020-1010 || Cisco Talos Intelligence Group
An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Summary
An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Tested Versions
WAGO PFC 200 03.03.10(15)
Product URLs
https://www.wago.com/us/pfc200
CVSSv3 Score
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-269 - Improper Privilege Management
Details
WAGO is a manufacturer of programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing, and building management.
The WBM (Web-Based Management) application provides configuration and customization to the user. WAGO documentation states that the web users are isolated from the Linux system users on the device,
The PFC 200 750-8206 user manual draws a clear distinction between the WBM and the Linux system users. Section 4.1.2.1.2 WBM User Group states:
WBM has its own user administration system. The users in this system are isolated from the other user groups in the system for security reasons.
This vulnerability allows an attacker to gain root privileges on the device from the WBM admin user.
The software upload functionality of WBM allows the web-admin user to upload a software package and activate the software in the opkg .ipk format. The file structure of an .ipk file is relatively simple, and provides no integrity checks such as code signing for the software contained in the package. Below describes the contents of an .ipk file:
|-- control
| |-- control
| |-- postinst
| |-- preinst
| |-- prerm
|-- data
| |-- usr
| | -- bin
| | -- example_binary
| -- lib
| -- systemd
| -- system
| -- example_package.service
|-- debian-binary
When the user activates the software package, that executes a shell script on the device called activate_download. The code excerpt below shows on line 097 and 109 that the package install/activate utility opkg is executed with root permissions:
095: update-script ) if [ "install" = $action ]; then
096: #echo "activate" $path$filename "for update-script"
097: sudo /usr/bin/opkg install "$path$filename" > /dev/null 2> /dev/null
098:
099: if [ $? != $SUCCESS ]; then
100:
101: status=$SHELL_ERROR
102: ReportError $status "(/usr/bin/opkg install $path$filename)"
103: SetLastError "Error while execution"
104: fi
105: fi
106: #force overwrite
107: if [ "force" = $action ]; then
108: #echo "force-overwrite" $path$filename "for update-script"
109: sudo /usr/bin/opkg install --force-overwrite --force-reinstall --force-downgrade "$path$filename" > /dev/null 2> /dev/null
Since the opkg utility is executed with root permissions, any of the scripts within the control portion of the package are also executed with root permissions. Additionally, the attacker can force the activation which means that the installed package can overwrite data from other packages. Forcing the activation gives an attacker the ability to overwrite system services with attacker controlled code.
Timeline
2020-02-11 - Vendor Disclosure
2020-02-12 - Vendor acknowledged
2020-05-06 - Talos follow up with vendor
2020-05-07 - Vendor requested disclosure extension; Talos granted extension
2020-06-10 - Public Release
Discovered through discussions between WAGO and Cisco Talos.