A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit, version 126.96.36.199. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.
WAGO e!Cockpit 188.8.131.52
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-319: Cleartext Transmission of Sensitive Information
e!Cockpit is programming software provided by WAGO for working with various product lines produced by WAGO. This software is used to write IEC-61131-3 specified language that can then be compiled for a programmable logic controller to run. This software is required to be able to communicate with these devices, and it can be found in any environment that you find an industrial controller.
Network traffic does not utilize encryption for any communication. Sensitive information is transferred over the network, both locally to the GatewayService, as well as remotely to the PLC itself. This allows for an attacker locally, or anywhere between the end device and the programming software to listen to manipulate or drop any information they choose to.
2019-09-19 - Vendor Disclosure
2019-10-31 - Vendor passed to CERT@VDE for coordination/handling
2019-12-16 - Disclosure deadline extended
2020-01-28 - Talos discussion about vulnerabilities with Vendor
2020-03-09 - Public Release
Discovered by Carl Hurd of Cisco Talos.