CVE-2023-1620: VDE-2023-006 | CERT@VDE

2023-06-25 08:00 (CEST) VDE-2023-006

WAGO: Controller with CODESYS 2.3 Runtime Denial-of-Service
Share: Email | Twitter

**

Published

**

2023-06-25 08:00 (CEST)

**

Last update

**

2023-06-23 07:03 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

**

Summary

**

An authenticated attacker can send a malformed packet to trigger a device crash via the CODESYS V2 runtime commands parsing.

**

Vulnerabilities

**

Last Update

June 20, 2023, 4:40 p.m.

Weakness

Improper Input Validation (CWE-20)

Summary

Multiple WAGO devices in multiple versions may allow an authenticated remote attacker with high privileges to DoS the device by sending a malformed packet.

Last Update

June 20, 2023, 4:42 p.m.

Weakness

Improper Input Validation (CWE-20)

Summary

Multiple WAGO devices in multiple versions may allow an authenticated remote attacker with high privileges to DoS the device by sending a specifically crafted packet to the CODESYS V2 runtime.

**

Impact

**

Abusing these vulnerabilities an attacker can crash an affected product, which fully prevents the product to work as intended. After a complete restart the component works as expected.

**

Solution

**

Mitigation

If the PLC runtime is running, but you do not need it, you can deactivate the plc runtime programming port over the product settings in the web-based management. You can find this option under “Configuration > PLC Runtime Services > CODESYS 2 > communication enabled”.

As general security measures strongly WAGO recommends:

1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy.

The BSI provides general information on securing ICS in the ICS Compendium (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security_compendium.pdf).

Remediation

We recommend all effected users to update to the firmware version listed below:

Order No.

Firmware Version

PFC200 Family

750-8202/xxx-xxx

FW 22 Patch 2 available in Q4 2023

750-8203/xxx-xxx

750-8204/xxx-xxx

750-8206/xxx-xxx

750-8207/xxx-xxx

750-8208/xxx-xxx

750-8210/xxx-xxx

750-8211/xxx-xxx

750-8212/xxx-xxx

750-8213/xxx-xxx

750-8214/xxx-xxx

750-8216/xxx-xxx

750-8217/xxx-xxx

Ethernet Controller 4th Generation family

750-823

FW 11 available in early Q3 2023

750-332

750-832/xxx-xxx

750-862

750-890/xxx-xxx

750-891

750-893

Ethernet Controller 3rd Generation family

750-331

FW 17 (after BACnet certification)

750-829

750-831/xxx-xxx

750-852

FW 17 (already available)

750-880/xxx-xxx

750-881

750-882

750-885/xxx-xxx

750-889

**

Reported by

**

The vulnerability was reported by Daniel dos Santos and Abdelrahman Hassanien from Forescout.

Coordination done by CERT@VDE.