WAGO: Multiple vulnerabilities in docker configuration
Plan Patch8.8VDE-2024-047Nov 18, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in WAGO industrial controllers and human-machine interfaces running containerized software (Docker). The vulnerabilities include missing access controls (CWE-306), improper file permissions (CWE-732), and path traversal issues (CWE-22). An attacker with valid user credentials can escalate privileges through misconfigured group membership and gain unauthorized access to the runtime environment.
What this means
What could happen
An authenticated attacker could escalate privileges and gain control of the CODESYS runtime environment, potentially allowing them to modify process logic, alter safety parameters, or disrupt plant operations on affected WAGO controllers.
Who's at risk
WAGO industrial controllers and human-machine interfaces used in manufacturing, water, utilities, and energy sectors. Affected models include: CC100, PFC100 G2, PFC200 G2, TP600 touchscreen panels, Edge Controller, and legacy PFC100/PFC200 G1 devices. Organizations using these as programmable logic controllers (PLCs) or process monitors should prioritize assessment.
How it could be exploited
An attacker with valid user account credentials logs into the affected controller. Because the linux user "user" is misconfigured as a member of the 'wbmuser' group, the attacker gains group membership that bypasses intended access controls. The attacker then exploits missing CODESYS Runtime access controls (CWE-306) to interact with and modify the runtime environment, potentially altering process execution or safety interlocks.
Prerequisites
- Valid user account credentials on the affected WAGO device
- Network access to the controller's shell or web interface
- Device running vulnerable firmware version (4.5.10 or earlier for G2 devices, 3.10.10 or earlier for G1 devices)
remotely exploitablerequires valid credentialslow complexity attack once authenticatedaffects control logic environment (safety-related)no fix available for several product models
Affected products (16)
9 with fix7 EOL
ProductAffected VersionsFix Status
PFC100 G2 0750-811x/xxxx-xxxx≤ 4.5.104.6.1
TP600 0762-420x/8000-000x≤ 4.5.104.6.1
TP600 0762-430x/8000-000x≤ 4.5.104.6.1
TP600 0762-520x/8000-000x≤ 4.5.104.6.1
TP600 0762-530x/8000-000x≤ 4.5.104.6.1
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDRemove the linux user 'user' from the 'wbmuser' group by executing 'gpasswd -d user wbmuser' on affected controllers accessed as root, and verify with 'groups user' command
HARDENINGRestrict CODESYS Runtime access completely by disabling or removing network/shell access to the runtime environment on all affected devices
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
PFC100 G2 0750-811x/xxxx-xxxx
HOTFIXUpdate PFC100 G2 0750-811x/xxxx-xxxx and TP600 models (0762-420x, 0762-430x, 0762-520x, 0762-530x, 0762-620x, 0762-630x) and Edge Controller 0752-8303/8000-0002 to firmware 4.6.1 or later
CC100 0751/9x01
HOTFIXUpdate CC100 0751/9x01 devices to firmware 4.6.3 (FW28) when available from WAGO support
PFC100 G1 0750-810x/xxxx-xxxx
HOTFIXUpdate PFC100 G1 0750-810x/xxxx-xxxx devices to firmware 3.10.11 (FW22 Patch 2) or later
All products
HARDENINGReview and disable any unnecessary user accounts on affected WAGO controllers
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: CC100 0751/9x01, PFC200 G2 0750-821x/xxx-xxx, PFC200 G2 0750-821x/xxx-xxx, PFC200 G1 0750-820x/xxx-xxx, PFC200 G1 0750-820x/xxx-xxx, CC100 0751/9x01, CC100 0751/9x01. Apply the following compensating controls:
HARDENINGImplement network segmentation to limit user access to affected WAGO controllers to trusted engineering networks only
CVEs (8)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/14dc4655-fd4d-4531-8109-19af3f4c0cc3