WAGO: Smart Script affected by Log4Shell Vulnerability

Act Now10VDE-2021-060Jan 5, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO Smart Script versions 4.2 and higher use Apache Log4j for logging. The Log4j library is vulnerable to remote code execution (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) when message lookup substitution is enabled. An attacker who can inject or control log messages can execute arbitrary code by including JNDI references pointing to attacker-controlled LDAP servers. Additionally, self-referential lookups can cause denial of service. Affected versions: 4.2 through 4.8.1.4. Fixed in version 4.8.1.5 or later.

What this means

What could happen

An attacker who can inject malicious log messages into WAGO Smart Script could execute arbitrary code on the affected controller, allowing them to modify process setpoints, stop operations, or exfiltrate data. Additionally, specially crafted log messages can cause the system to hang or become unresponsive, disrupting critical plant operations.

Who's at risk

Water authorities and municipal utilities using WAGO Smart Script versions 4.2 through 4.8.1.4 for process automation and control. This includes any system using Smart Script for PLC programming, recipe management, or event logging in water treatment plants, wastewater systems, and electrical distribution networks.

How it could be exploited

An attacker crafts a malicious log message containing a JNDI reference pointing to an attacker-controlled LDAP server. When Smart Script processes this message (from an untrusted project or external input), Log4j resolves the JNDI reference and loads arbitrary code from the LDAP server, executing it with the privileges of the Smart Script application. No user interaction is required; the attack triggers automatically during logging.

Prerequisites

Network access to the WAGO Smart Script application or the ability to inject log messages into it
WAGO Smart Script version 4.2 through 4.8.1.4 must be running
Message lookup substitution enabled in Log4j (default in affected versions)
Attacker must control or be able to reach an LDAP server to host malicious code

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)affects process control systemsCVSS 10 (critical severity)

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Smart Script4.2<4.8.1.44.8.1.5

Remediation & Mitigation

0/3

Do now

0/3

HOTFIXUpdate WAGO Smart Script to version 4.8.1.5 or later

WORKAROUNDDo not load or execute projects from untrusted or unknown sources

HARDENINGIsolate Smart Script systems on a network segment with firewall rules that restrict outbound connections to LDAP servers and external DNS resolvers

CVEs (4)

CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6b9f7d34-a4d2-4c6d-91a7-fac4ab2934b0