WAGO: FTP-Server - Denial-of-Service

Plan Patch7.5VDE-2022-047Oct 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The FTP server in affected WAGO controllers does not properly release memory resources reserved for incomplete FTP connection attempts. A remote attacker can repeatedly send incomplete FTP connections to exhaust memory and cause a denial-of-service condition, making the device unresponsive until restarted.

What this means

What could happen

An attacker can send incomplete FTP connection requests to cause the controller to leak memory and eventually stop responding to normal operations. A sustained attack could force a reboot of the device, interrupting process control.

Who's at risk

WAGO 750 series PLC controllers (750-330, 750-332, 750-352, 750-362, 750-363, 750-364, 750-365, 750-823, 750-829, 750-831, 750-832, 750-852, 750-862, 750-880, 750-881, 750-882, 750-885, 750-889, 750-890, 750-891, 750-893) used in water systems, power distribution, HVAC, and other critical infrastructure for real-time process control.

How it could be exploited

An attacker on the network (or internet-routable network) sends multiple malformed or incomplete FTP connection attempts to port 21 on the affected WAGO controller. Each incomplete connection fails to properly release reserved memory, causing heap exhaustion. Once memory is depleted, the device becomes unresponsive and control of the process is lost until the device restarts.

Prerequisites

Network access to port 21 (FTP) on the WAGO controller
FTP server enabled in device configuration
No firewall or access control blocking FTP traffic

remotely exploitableno authentication requiredlow complexityaffects availability of control systemsdenial of service via resource exhaustion

Affected products (21)

21 with fix

ProductAffected VersionsFix Status

750-330≤ FW13FW17

750-332≤ FW10FW11

750-352/xxx-xxx≤ FW14FW17

750-362/xxx-xxx≤ FW10FW11

750-363/xxx-xxx≤ FW10FW11

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable FTP server in the web-based management console if FTP data transfer is not required for operations.

HARDENINGRestrict network access to port 21 (FTP) at the firewall or network boundary; only allow FTP traffic from trusted engineering workstations or management networks.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

750-330

HOTFIXUpdate firmware to the latest stable release: 750-330 to FW17, 750-332 to FW11, 750-352/xxx-xxx to FW17, 750-362/xxx-xxx to FW11, 750-363/xxx-xxx to FW11, 750-364/xxx-xxx to FW11, 750-365/xxx-xxx to FW11, 750-823 to FW11, 750-829 to FW17, 750-831/xxx-xxx to FW17, 750-832/xxx-xxx to FW11, 750-852 to FW17, 750-862 to FW11, 750-880/xxx-xxx to FW17, 750-881 to FW17, 750-882 to FW17, 750-885/xxx-xxx to FW17, 750-889 to FW17, 750-890/xxx-xxx to FW11, 750-891 to FW11, 750-893 to FW11.

Long-term hardening

0/1

HARDENINGEnsure the WAGO controller is not directly accessible from the internet; place it behind a firewall or on an isolated OT network segment.

CVEs (1)

CVE-2022-38371

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/933ea905-b6cf-4f35-ac26-bc5b2c5e6157