Talos Vulnerability Report

TALOS-2019-0953

WAGO PFC200 Cloud Connectivity Improper Host Validation Vulnerability

March 9, 2020
CVE Number

CVE-2019-5160

Summary

An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200. A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node.

Tested Versions

WAGO PFC200 Firmware version 03.02.02(14) WAGO PFC200 Firmware version 03.01.07(13) WAGO PFC200 Firmware version 03.00.39(12)

Product URLs

https://www.wago.com/us/pfc200

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-284 Improper Access Control

Details

The WAGO PFC200 Controller is one of WAGO's programmable automation controllers that boasts high cybersecurity standards by including VPN, SSL and firewall software. WAGO controllers are used in many industries including automotive, rail, power engineering, manufacturing, and building management. The WAGO PFC200 Controller communicates via both standard and custom protocols.

The Cloud Connectivity service of the WAGO PFC200 Controller allows for bi-directional communication with a variety of cloud providers including the Wago Cloud application, Microsoft Azure, IBM Cloud, AWS and SAP IoT Services. The Cloud Connectivity service enables the device to send telemetry data to the cloud and act on commands received from the cloud provider.

The WAGO PFC200 restricts the processing of some commands to be accepted only from the Wago Cloud application. However, the device allows the administrator web application user to configure the hostname of the Wago Cloud application via the WBM web application. This allows an attacker to gain access to these restricted commands by configuring the Cloud Connectivity application hostname to point to an attacker controlled Azure IoT Hub instance. Since a generic Azure IoT Hub certificate is contained within the ca-certificates used by the device, any Azure IoT Hub node will be trusted.

The following demonstrates that the user is able to set the hostname configuration value for the Wago Cloud platform. Referred to as ECloud here in cloud_connectivity.inc.php:

<div class="label_value_pair">
    <div class="label_field"><label for="selectIotPlatform">Cloud platform:</label></div>
    <div class="value_field">
        <select id="selectIotPlatform" class="wide" name="selectIotPlatform" size="1">
        <option value="ECloud">Wago Cloud</option>
        <option value="AzureCloud">Azure</option>
        <option value="MQTT">MQTT AnyCloud</option>
        <option value="IBM">IBM Cloud</option>
        <option value="AWS">Amazon Web Services (AWS)</option>
        <option value="SAP">SAP IoT Services</option>
        </select>
        </div>
    </div>
    </div>

    <div class="config_data_list" id="AzureIoTconfigUI" style="display: none;">
    <div class="label_value_pair">
    <div class="label_field"><label for="inputHostName">Hostname:</label></div>
    <div class="value_field"><input id="inputHostName" class="input_field" type="text" name="inputHostName" size="50" maxlength="250" value="" ></div>
    </div>
    <div class="label_value_pair">
    <div class="label_field"><label for="inputDeviceId">Device ID:</label></div>
    <div class="value_field"><input id="inputDeviceId" class="input_field" type="text" name="DeviceId" size="50" maxlength="250" value="" ></div>
    </div>
    <div class="label_value_pair">
    <div class="label_field"><label for="inputSharedAccessKey">Activation Key:</label></div>
    <div class="value_field"><input id="inputSharedAccessKey" class="input_field" type="text" name="inputSharedAccessKey" size="50" maxlength="250" value="" ></div>
    </div>
    </div>

Similarly, the following code demonstrates that when the hostname is provided via the web form, it is used instead of the default value wagocloud.azure-devices.net. This excerpt is from cloud_connectivity.js:

switch (iotplatformValue)
        {
            case "ECloud":
                $("#AzureIoTconfigUI").show();
                $('#mqttIoTconfigUI').hide();
                $('#IBMConfigUI').hide();
                $('#AWSConfigUI').hide();
                $('#DeviceConfigUI').hide();
                $('#CommandsConfigUI').hide();
                $("#chkDeviceInfoEnabled").prop('checked', true);
                $("#chkDeviceStatusEnabled").prop('checked', true);
                $("#chkStandardCommandsEnabled").prop('checked', true);
                $("#chkMqttSecurityEnabled").removeAttr('disabled');
                $("#inputMqttPort").removeAttr('disabled');
                var varHostName = $('#inputHostName').val();
                if (!varHostName)
                {
                    $("#inputHostName").val('wagocloud.azure-devices.net');
                }
                $('#divLastWillEnabled').hide();
                RefreshVisibilityMqttLastWill();
                $('#selectDataProtocol').prop('value', 'NormalizedJSON');
                $('#divDataProtocol').hide();
                $('#'  + thePageContent.id + '_content' + ' .sparkplug_activated').hide();
                $('#WebswocketsConfigUI').show();
                break;

Mitigation

This vulnerability could be mitigated by disabling the Cloud Connectivity feature via the Web-based management web application.

Timeline

2019-10-31 - Vendor Disclosure
2019-10-31 - Vendor acknowledged and passed to CERT@VDE for coordination/handling
2020-01-28 - Talos discussion with vendor; disclosure deadline extended
2020-03-09 - Public Release

Credit

Discovered by Kelly Leuschner of Cisco Talos.