Talos Vulnerability Report

TALOS-2019-0951

WAGO e!COCKPIT Firmware Downgrade Vulnerability

March 9, 2019
CVE Number

CVE-2019-5158

Summary

An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a newer firmware version is being installed. An attacker can create a custom firmware update package with invalid metadata in order to trigger this vulnerability.

Tested Versions

WAGO e!COCKPIT 1.6.1.5

Product URLs

https://www.wago.com/us/ecockpit-engineering-software

CVSSv3 Score

8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-20: Improper Input Validation

Details

WAGO is a manufacturer of programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing, and building management. WAGO’s e!COCKPIT automation software provides an all in one utility that enables Programming, Visualization and Diagnostics for WAGO’s entire family of PLC’s.

The e!COCKPIT software supports updating WAGO controllers’ firmware via wup (WAGO update package). Typically these wup files are downloaded automatically by e!COCKPIT from WAGO servers. However, the user also has the option of choosing any file on disk to be used by the firmware update mechanism as long as it conforms to the expected data format of a wup file. Additionally, if a wup file is placed in C:\ProgramData\WAGO Software\e!COCKPIT\FirmwareRepository it will automatically be available to the user in the Firmware Update dialog box.

The wup file format consists of a zip file archive that is optionally encrypted with ZipCrypto. A hard-coded password is used to encrypt this zip archive, however an un-encrypted file is also accepted by the software. Each directory in the archive contains an xml file referred to as the control file. This control file specifies information about the firmware contained in the zip archive. It also lists additional files in within the zip archive that will be written to the device.

The Control File is expected to be called package-info.xml and exist at the top-level directory of the archive. Inside, it contains an XML node <FirmwareDescription> which contains attributes that describe metadata about the firmware package including Revision and ReleaseIndex.

An attacker could prepare a malicious wup file by extracting legitimate WAGO wup using the hard-coded credentials. Once extracted, the attacker could copy the signed firmware file and re-package it with a package-info.xml file that contains a different version number. For example, the wup file contains the signed firmware for version 12, but the package-info.xml metadata reports that the wup file contains version 15. In this case, when performing the firmware update the user will think that they are installing version 15 when in reality version 12 is installed on the device. This could allow the attacker to gain access to the device after the firmware update due to known vulnerabilities in old firmware versions.

Timeline

2019-10-31 - Vendor Disclosure
2019-10-31 - Vendor acknowledged and passed to CERT@VDE for coordination/handling
2020-01-28 - Talos discussion with vendor; disclosure deadline extended
2020-03-09 - Public Release

Credit

Discovered by Kelly Leuschner of Cisco Talos.