Talos Vulnerability Report

TALOS-2019-0869

WAGO PFC200 iocheckd service "I/O-Check" MAC Address overwrite Denial of Service Vulnerability

December 16, 2019
CVE Number

CVE-2019-5077

WAGO PFC200 iocheckd service “I/O-Check” MAC Address overwrite Denial of Service Vulnerability

Summary

An exploitable denial-of-service vulnerability exists in the iocheckd service “I/O-Check” functionality of WAGO PFC 200. A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.

Tested Versions

WAGO PFC200 Firmware version 03.01.07(13)* WAGO PFC200 Firmware version 03.00.39(12) WAGO PFC100 Firmware version 03.00.39(12)

*Firmware version 03.01.07(13) was not explicitly tested for this vulnerability but the vulnerable functionality does exist in this version. It is recommended that a fix be applied to this version, as well.

Product URLs

https://www.wago.com/us/pfc200 https://www.wago.com/us/pfc100

CVSSv3 Score

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE

CWE-306: Missing Authentication for Critical Function

Details

The WAGO PFC200 Controller is one of WAGO’s programmable automation controllers that boasts high cybersecurity standards by including VPN, SSL and firewall software. WAGO controllers are used in many industries including automotive, rail, power engineering, manufacturing, and building management. The WAGO PFC200 Controller communicates via both standard and custom protocols.

A denial-of-service vulnerability exists in the iocheckd service “I/O-Check” functionality of WAGO PFC 200. An attacker can send an unauthenticated packet using the iocheckd protocol which will overwrite the MAC Address stored persistently on the device. A subsequent unauthenticated packet that reboots the device causes the device to enter a recovery state where it ceases normal functionality.

The device can be recovered to return normal operation by accessing the bootloader using the physical service interface connection. Recovery of the device requires physical access to the device and knowledge of the bootloader internal system data.

Mitigation

This vulnerability could be mitigated by disabling the iocheckd service “I/O-Check” via the Web-based management web application.

Timeline

2019-07-30 - Vendor disclosure
2019-09-06 - 30+ day follow up
2019-10-02 - 60+ day follow up; vendor acknowledged
2019-10-31 - Vendor passed to CERT@VDE for coordination; Talos extended public disclosure deadline
2019-12-16 - Public Release

Credit

Discovered by Kelly Leuschner of Cisco Talos