Talos Vulnerability Report

TALOS-2019-0872

WAGO PFC200 iocheckd service "I/O-Check" factory restore denial-of-service vulnerability

December 16, 2019
CVE Number

CVE-2019-5080

WAGO PFC200 iocheckd service "I/O-Check" factory restore denial-of-service vulnerability

Summary

An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability.

Tested Versions

WAGO PFC200 Firmware version 03.01.07(13) WAGO PFC200 Firmware version 03.00.39(12) WAGO PFC100 Firmware version 03.00.39(12)

Product URLs

https://www.wago.com/us/pfc200 https://www.wago.com/us/pfc100

CVSSv3 Score

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE

CWE-306: Missing Authentication for Critical Function

Details

The WAGO PFC200 Controller is one of WAGO's programmable automation controllers that boasts high cybersecurity standards by including VPN, SSL and firewall software. WAGO controllers are used in many industries including automotive, rail, power engineering, manufacturing, and building management. The WAGO PFC200 Controller communicates via both standard and custom protocols.

A denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send an unauthenticated packet using the iocheckd protocol which will cause the device to restore factory settings. Part of the factory restore procedure is to restore the well-known and documented default passwords for linux users and lighthttpd users used for authentication with the web server provided by the device. The CODESYS runtime is also stopped as a result of this message which will stop the industrial application.

Mitigation

This vulnerability could be mitigated by disabling the iocheckd service "I/O-Check" via the Web-based management web application.

Timeline

2019-07-30 - Vendor disclosure
2019-09-06 - 30+ day follow up
2019-10-02 - 60+ day follow up; vendor acknowledged
2019-10-31 - Vendor passed to CERT@VDE for coordination; Talos extended public disclosure deadline
2019-12-16 - Public Release

Credit

Discovered by Kelly Leuschner of Cisco Talos