WAGO PFC200 iocheckd service “I/O-Check” factory restore denial-of-service vulnerability
An exploitable denial-of-service vulnerability exists in the iocheckd service “I/O-Check” functionality of WAGO PFC 200. A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.
WAGO PFC200 Firmware version 03.01.07(13) WAGO PFC200 Firmware version 03.00.39(12) WAGO PFC100 Firmware version 03.00.39(12)
10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
CWE-306: Missing Authentication for Critical Function
The WAGO PFC200 Controller is one of WAGO’s programmable automation controllers that boasts high cybersecurity standards by including VPN, SSL and firewall software. WAGO controllers are used in many industries including automotive, rail, power engineering, manufacturing, and building management. The WAGO PFC200 Controller communicates via both standard and custom protocols.
A denial-of-service vulnerability exists in the iocheckd service “I/O-Check” functionality of WAGO PFC 200. An attacker can send an unauthenticated packet using the iocheckd protocol which will cause the device to restore factory settings. Part of the factory restore procedure is to restore the well-known and documented default passwords for linux users and lighthttpd users used for authentication with the web server provided by the device. The CODESYS runtime is also stopped as a result of this message which will stop the industrial application.
This vulnerability could be mitigated by disabling the iocheckd service “I/O-Check” via the Web-based management web application.
2019-07-30 - Vendor disclosure
2019-09-06 - 30+ day follow up
2019-10-02 - 60+ day follow up; vendor acknowledged
2019-10-31 - Vendor passed to CERT@VDE for coordination; Talos extended public disclosure deadline
2019-12-16 - Public Release
Discovered by Kelly Leuschner of Cisco Talos