WAGO: Web-Based Management Authentication Vulnerabilities

Plan Patch7.5VDE-2020-006Mar 9, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A timing side-channel vulnerability in WAGO web-based management interfaces allows an attacker to extract password hashes and salts through specially crafted requests by measuring response delays. The recovered hashes can be cracked offline to obtain plaintext passwords, leading to unauthorized administrative access. Affected firmware versions FW05 through FW14 on PFC200, PFC100, and Touch Panel 600 controllers are vulnerable.

What this means

What could happen

An attacker who can reach your WAGO controller's web interface can extract password hashes through timing delays, then crack them offline to gain administrative access and reconfigure your control logic or operations.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using WAGO PFC200 or PFC100 programmable logic controllers (PLCs) or WAGO Touch Panel 600 human-machine interfaces (HMIs) for process monitoring and control should assess exposure immediately.

How it could be exploited

An attacker sends specially crafted requests to the web-based management interface and measures response times to infer password hash information. By analyzing response timing patterns, the attacker can extract password hashes and potentially the salt used to protect them, then use offline dictionary or brute-force attacks to recover plaintext passwords.

Prerequisites

Network access to the web management port (typically TCP 80/443) on PFC200, PFC100, or Touch Panel 600 devices
Target device running firmware version FW05 through FW14

remotely exploitableno authentication requiredlow complexityaffects control systemshigh CVSS score (7.5)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Hardware PFC200FW05≤ FW14FW15

Hardware PFC100FW05≤ FW14FW15

Hardware Touch Panel 600FW05≤ FW14FW15

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to the web management interface using firewall rules; allow only from authorized engineering workstations or maintenance subnets

HARDENINGConfigure strong, unique passwords (minimum 12 characters, mixed case, numbers, symbols) for all web management user accounts, especially administrative accounts

HARDENINGDo not expose the device directly to the internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected PFC200, PFC100, and Touch Panel 600 devices to firmware version FW15 or later

HARDENINGDisable unused TCP and UDP ports on the device, especially those not required for your operational process

CVEs (2)

CVE-2019-5134 CVE-2019-5135

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/41a214a7-4cff-4cc4-8139-59d68b2a7067