WAGO PFC200 iocheckd service “I/O-Check” MAC Address overwrite Denial of Service Vulnerability
An exploitable denial-of-service vulnerability exists in the iocheckd service “I/O-Check” functionality of WAGO PFC 200. A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability.
WAGO PFC200 Firmware version 03.01.07(13)* WAGO PFC200 Firmware version 03.00.39(12) WAGO PFC100 Firmware version 03.00.39(12)
*Firmware version 03.01.07(13) was not explicitly tested for this vulnerability but the vulnerable functionality does exist in this version. It is recommended that a fix be applied to this version, as well.
10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
CWE-306: Missing Authentication for Critical Function
The WAGO PFC200 Controller is one of WAGO’s programmable automation controllers that boasts high cybersecurity standards by including VPN, SSL and firewall software. WAGO controllers are used in many industries including automotive, rail, power engineering, manufacturing, and building management. The WAGO PFC200 Controller communicates via both standard and custom protocols.
A denial-of-service vulnerability exists in the iocheckd service “I/O-Check” functionality of WAGO PFC 200. An attacker can send an unauthenticated packet using the iocheckd protocol which will overwrite the MAC Address stored persistently on the device. A subsequent unauthenticated packet that reboots the device causes the device to enter a recovery state where it ceases normal functionality.
The device can be recovered to return normal operation by accessing the bootloader using the physical service interface connection. Recovery of the device requires physical access to the device and knowledge of the bootloader internal system data.
This vulnerability could be mitigated by disabling the iocheckd service “I/O-Check” via the Web-based management web application.
2019-07-30 - Vendor disclosure
2019-09-06 - 30+ day follow up
2019-10-02 - 60+ day follow up; vendor acknowledged
2019-10-31 - Vendor passed to CERT@VDE for coordination; Talos extended public disclosure deadline
2019-12-16 - Public Release
Discovered by Kelly Leuschner of Cisco Talos