WAGO: Multiple vulnerabilities in docker configuration

Plan PatchCVSS 8.8VDE-2024-047Nov 18, 2024

WAGO

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Nozomi Networks disclosed eight vulnerabilities in WAGO industrial controllers affecting Docker configuration and runtime access control. The vulnerabilities stem from improper file permissions (CWE-732), missing access controls (CWE-306), and path traversal issues (CWE-22) that allow authenticated users with engineering credentials to escalate privileges and execute arbitrary code with root access on PFC100, TP600, CC100, and Edge Controller devices running firmware versions 4.5.10 or earlier (or 3.10.10 for G1 models). The vulnerabilities affect the CODESYS Runtime environment and Linux user group membership, enabling attackers to modify control logic, alter process setpoints, or disrupt operations.

What this means

What could happen

An attacker with engineering workstation credentials could execute arbitrary commands on the controller with elevated privileges, potentially altering process logic, modifying setpoints, or stopping critical operations on water treatment, electric substations, or other industrial processes.

Who's at risk

This affects WAGO industrial controllers widely used in water treatment facilities, electric utilities, and manufacturing plants. Impacted models include PFC100/G1/G2 programmable field controllers, TP600 touch panel terminals, CC100 compact controllers, and Edge Controller devices used for real-time process automation, data acquisition, and local control logic in critical infrastructure.

How it could be exploited

An attacker with valid engineering credentials logs into the controller remotely via CODESYS or the web management interface, exploits misconfigured Linux permissions and CODESYS Runtime access to escalate from the unprivileged 'user' account to root, and executes arbitrary commands that alter or halt industrial processes.

Prerequisites

Network access to CODESYS Runtime port (typically 2455)
Valid engineering workstation credentials (username/password)
Controller must be running affected firmware version ≤4.5.10 (most models) or ≤3.10.10 (G1 devices) or ≤4.5.10 (CC100)
Root or administrative access to the Linux shell on the controller

remotely exploitablerequires valid engineering credentialsaffects control system firmwareno patch available for multiple models (CC100 and PFC200 G1/G2)multiple privilege escalation vectorsCODESYS runtime exposure

Exploitability

Some exploitation risk — EPSS score 1.8%

Affected products (16)

9 with fix7 EOL

ProductAffected VersionsFix Status

PFC100 G2 0750-811x/xxxx-xxxx≤ 4.5.104.6.1

TP600 0762-420x/8000-000x≤ 4.5.104.6.1

TP600 0762-430x/8000-000x≤ 4.5.104.6.1

TP600 0762-520x/8000-000x≤ 4.5.104.6.1

TP600 0762-530x/8000-000x≤ 4.5.104.6.1

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDExecute command 'gpasswd -d user wbmuser' on the Linux shell as root to remove the 'user' account from the 'wbmuser' group, mitigating privilege escalation

HARDENINGRestrict network access to CODESYS Runtime ports (typically port 2455) to only authorized engineering workstations and administrative subnets using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PFC100 G2, TP600, and Edge Controller models to firmware version 4.6.1 (FW28) or later

HOTFIXUpdate CC100 devices to firmware version 4.6.3 (FW28) or later

HOTFIXUpdate PFC100 G1 devices to firmware version 3.10.11 (FW22 Patch 2) or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CC100 0751/9x01, PFC200 G2 0750-821x/xxx-xxx, PFC200 G2 0750-821x/xxx-xxx, PFC200 G1 0750-820x/xxx-xxx, PFC200 G1 0750-820x/xxx-xxx, CC100 0751/9x01, CC100 0751/9x01. Apply the following compensating controls:

HARDENINGDisable or restrict remote CODESYS Runtime access on controllers that do not require remote engineering access

CVEs (8)

CVE-2024-41968 CVE-2024-41970 CVE-2024-41972 CVE-2024-41974 CVE-2024-41967 CVE-2024-41969 CVE-2024-41971 CVE-2024-41973

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/14dc4655-fd4d-4531-8109-19af3f4c0cc3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.