Patrick DeSantis, Carl Hurd, Kelly Leuschner and Lilith [-_-]; of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered several vulnerabilities in multiple products from the company WAGO. WAGO produces a line of automation software called “e!COCKPIT,” an integrated development

environment that aims to speed up automation tasks and machine and system startup. The e!COCKPIT software interfaces with different automation controllers, including the PFC100 and PFC200. The vulnerabilities described here exist within the e!COCKPIT software or the two associated automation controllers. A remote attacker could exploit these vulnerabilities to carry out a variety of malicious activities, including command injection, information disclosure and remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues are resolved and that updates are available for affected customers.

Vulnerability details
WAGO e!Cockpit authentication hard-coded encryption key vulnerability (TALOS-2019-0898/5106)

A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit, version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.

Read the complete vulnerability advisory here for additional information.

WAGO e!Cockpit network communication cleartext transmission vulnerability (TALOS-2019-0899/CVE-2019-5107)
A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit, version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.

Read the complete vulnerability advisory here for additional information.

WAGO PFC100/200 Web-Based Management (WBM) authentication regex information disclosure vulnerability (TALOS-2019-0923/CVE-2019-5134)

An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC100/200 controllers. A specially crafted authentication request can bypass regular expression filters, resulting in sensitive information disclosure, such as password hashes.

Read the complete vulnerability advisory here for additional information.

WAGO PFC100/200 Web-Based Management (WBM) authentication timing information disclosure vulnerability (TALOS-2019-0924/CVE-2019-5135)

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP `crypt()` function which can be exploited to disclose hashed user credentials.

Read the complete vulnerability advisory here for additional information.
 WAGO PFC100/200 Web-Based Management (WBM) FastCGI configuration insufficient resource pool denial of service (TALOS-2019-0939/CVE-2019-5149)

The WBM web application on firmware prior to version 14 (03.02.02) (tested on versions 12, 13, and 14) on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to "provide high performance for all Internet applications without the penalties of Web server APIs." However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to a total of two, which can be abused to cause a denial of service of the entire web server.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 cloud connectivity parameter values code injection vulnerability (TALOS-2019-0948/CVE-2019-5155)

An exploitable command injection vulnerability exists in the cloud connectivity feature of WAGO PFC200. An attacker can inject operating system commands into any of the parameter values contained in the firmware update command.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 cloud connectivity TimeoutPrepared command injection vulnerability (TALOS-2019-0949/CVE-2019-5156)

An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200. An attacker can inject operating system commands into the TimeoutPrepared parameter value contained in the firmware update command.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 cloud connectivity TimeoutUnconfirmed command injection vulnerability (TALOS-2019-0950/CVE-2019-5157)

An exploitable command injection vulnerability exists in the cloud connectivity function of the WAGO PFC200. An attacker can inject operating system commands into the TimeoutUnconfirmed parameter value in the firmware update command.

Read the complete vulnerability advisory here for additional information.

WAGO e!COCKPIT firmware downgrade vulnerability (TALOS-2019-0951/CVE-2019-5158)

An exploitable firmware downgrade vulnerability exists in the firmware update package functionality of the WAGO e!COCKPIT automation software. A specially crafted firmware update file can allow an attacker to install an older firmware version while the user thinks a newer firmware version is being installed. An attacker can create a custom firmware update package with invalid metadata in order to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO e!COCKPIT file path improper input validation vulnerability (TALOS-2019-0952/CVE-2019-5159)

An exploitable improper input validation vulnerability exists in the firmware update function of the WAGO e!COCKPIT automation software. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers while executing a firmware update, potentially resulting in code execution. An attacker can create a malicious firmware update file using a hard-coded password. The user must initiate a firmware update through e!COCKPIT and choose the malicious `wup` file using the file browser to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 cloud connectivity improper host validation vulnerability (TALOS-2019-0953/CVE-2019-5160)

An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200. A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker-controlled Azure IoT Hub node.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 cloud connectivity remote code execution vulnerability (TALOS-2019-0954/CVE-2019-5161)

An exploitable remote code execution vulnerability exists in the cloud connectivity functionality of the WAGO PFC200. A specially crafted XML file will direct the cloud connectivity service to download and execute a shell script with root privileges.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" cache DNS code execution vulnerability (TALOS-2019-0961/CVE-2019-5166)

An exploitable stack buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" cache multiple command injection vulnerabilities (TALOS-2019-0962/CVE-2019-5167 and CVE-2019-5175)

An exploitable command injection vulnerability exists in the iocheckd service "I/O-Check" function of the WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

Read the complete vulnerability advisory here for additional information.

WAGO PFC200 iocheckd service "I/O-Check" cache multiple code execution vulnerabilities (TALOS-2019-0963/CVE-2019-5176 and CVE-2019-5182)
 An exploitable stack buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

Read the complete vulnerability advisory here for additional information.
 WAGO PFC200 iocheckd service "I/O-Check" cache gateway memory corruption vulnerability (TALOS-2019-0965/CVE-2019-5184)
 An exploitable double-free vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can cause a heap pointer to be freed twice, resulting in a denial of service and potentially code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that TALOS-2019-0939 affects the WAGO PFC200 running firmware versions 03.00.39(12) and 03.01.07(13) and the PFC100 running 03.00.39(12) and 03.02.02(14).

The WAGO PFC200, firmware version 03.00.39(12) and 03.01.07(13) and the PFC100, version 03.00.39(12) is affected by TALOS-2019-0923 and TALOS-2019-0924.

TALOS-2019-0948, TALOS-2019-0949, TALOS-2019-0954 and TALOS-2019-0950 affect versions 03.02.02(14), 03.01.07(13) and 03.00.39(12) of the PFC200.

Based on the inspection of earlier firmware versions, Talos believes these vulnerabilities affect the past 10 versions of the firmware in both devices, and possibly even earlier.

TALOS-2019-0952 and TALOS-2019-0951 affect WAGO e!COCKPIT, version 1.6.0.7.

Talos tested and confirmed that version 03.00.39(12) of the WAGO PFC200 and PFC100 is affected by TALOS-2019-0862 through 0864 and TALOS-2019-0870 through 0874.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50786 - 50789, 50790 - 50793, 50797, 52023, 52131, 52238, 52274, 52275