WAGO: Multiple products affected by Terrapin

Monitor5.9VDE-2024-014Feb 22, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple WAGO controller firmware versions are vulnerable to the Terrapin attack, which exploits improper handling of the SSH handshake phase. An attacker can bypass SSH integrity checks through this vulnerability. Affected products include the 750-810x, 750-811x, 750-820x, 750-821x, 751-9301, 751-9401, 752-8303, and 762 series (762-4x0x, 762-5x0x, 762-6x0x). Patches are available for most 750-810x, 750-811x, 750-821x, 751-9301, 751-9401, and 752-8303 devices, but no fix is planned for 750-820x and several other product variants.

What this means

What could happen

An attacker can bypass SSH integrity checks on affected WAGO controllers through the Terrapin attack, potentially allowing unauthorized modification of device commands or configuration during remote management sessions.

Who's at risk

Water and electrical utility operators running WAGO industrial controllers (750-810x, 750-811x, 750-820x, 750-821x, 751-9301, 751-9401, 752-8303, 762-4x0x, 762-5x0x, 762-6x0x series) should assess their deployed firmware versions. These devices are commonly used for remote configuration and monitoring via SSH in SCADA and automation systems.

How it could be exploited

An attacker with network access to SSH on the WAGO device exploits a flaw in the SSH handshake phase to inject or modify commands during an SSH session without detection. The attack bypasses the integrity check mechanism that normally prevents tampering with transmitted data.

Prerequisites

Network access to SSH port (typically 22) on the WAGO device
Ability to intercept or perform man-in-the-middle positioning on the SSH session
Target device running vulnerable firmware version

Remotely exploitableMedium CVSS (5.9)Network-based attack vectorAffects remote management capabilityMultiple product lines impacted with no fixes available for 750-820x, 751-9301, 751-9401, and others

Affected products (19)

17 with fix2 EOL

ProductAffected VersionsFix Status

750-810x<FW22, Patch 2FW22

750-811x<FW27FW27

750-820x<03.03.08 (80)No fix (EOL)

750-821x<04.03.03 (70)FW22, Patch 2 or FW27

750-821x<FW27FW22, Patch 2 or FW27

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict SSH access to WAGO controllers using firewall rules—allow SSH connections only from authorized engineering workstations and management networks

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

750-810x

HOTFIXUpdate 750-810x devices to FW22, Patch 2 or later

750-811x

HOTFIXUpdate 750-811x devices to FW27 or later

750-821x

HOTFIXUpdate 750-821x devices to FW22, Patch 2 or FW27 or later

751-9301

HOTFIXUpdate 751-9301 and 751-9401 devices to FW27 or Custom Firmware 04.03.03 (72) or later

752-8303

HOTFIXUpdate 752-8303, 762-4x0x, 762-5x0x, and 762-6x0x devices to FW22, Patch 2 or FW27 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: 750-820x, 750-820x. Apply the following compensating controls:

HARDENINGSegment WAGO controllers onto a separate management network isolated from untrusted networks to limit SSH exposure

CVEs (1)

CVE-2023-48795

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/33e85139-4411-445f-a180-dcb6c4ec5738