ICS-CERT: WAGO I/O 750 Multiple Vulnerabilities

Thursday, June 21, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

This Alert Update is a follow-up to the original ICS-CERT Alert titled ICS-ALERT-12-020-07—WAGO I/O 750 Multiple Vulnerabilities that was published January 20, 2012, on the ICS-CERT Web page.

The reported vulnerabilities from DSecRG have been coordinated with WAGO. WAGO has determined that the vulnerabilities can be mitigated by adjusting system configurations of services not in use.

WAGO has released a customer cybersecurity notification on best security practices its products.

ICS-CERT is aware of a public report of multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the WAGO I/O System 750, a controller product. According to the WAGO Web site, the WAGO I/O System 750 is used in the industrial automation, building automation, marine automation, and on and offshore applications. These reports were released by Digital Security Research Group (DSecRG) without coordination with either the vendor or ICS-CERT.

ICS-CERT has notified WAGO of this report and has asked the vendor to confirm the vulnerability and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

Vulnerability Type:  Data leakage
Exploitability:  Remote
Impact:  Download firmware

Vulnerability Type:  Data leakage
Exploitability:  Remote
Impact:  Data leakage

Vulnerability Type:  Unauthorized access
Exploitability:  Remote
Impact:  Denial of service/loss of system integrity

Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.

MITIGATION

ICS-CERT has coordinated with WAGO and the security researcher to identify mitigations. WAGO has determined that the reported vulnerabilities can be mitigated through system configuration.

DATA LEAKAGE RESULTING IN A DOWNLOAD OF FIRMWARE:  In Section 10.4 of the WAGO I/O 750-841 User’s Manual, Ports 44818/TCP and 2222/UDP can be disabled, thereby disabling the Web Based Management system preventing the download of firmware. WAGO recommends that these ports remain disabled when not being actively used. Section 12.1.1.5 recommends installing controllers behind firewalls.

DATA LEAKAGE RESULTING IN LOSS OF CONFIDENTIALITY:  In Section 10.4 of the WAGO I/O 750-841 User’s Manual, Port 80/TCP can be disabled, thereby disabling the Web Based Management system. WAGO recommends that these ports remain disabled when not being actively used. Section 12.1.1.5 recommends using controllers behind firewalls.

UNAUTHORIZED ACCESS RESULTING IN A DENIAL OF SERVICE OR LOSS OF SYSTEM INTEGRITY:  The 750-841 provides a Web Server Authentication function. By default, this function is enabled, but it may be disabled. If enabled, the previous password must first be entered before the password can be changed. If disabled, the password may be changed without first entering the previous password. WAGO recommends this function remain enabled. A description of the Web Server Authentication can be found in Section 10.8 of the WAGO I/O 750-841 User’s Manual.
These features can be found in the WAGO I/O 750-841 User’s Manual.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-07A.pdf

Possibly Related Articles:
9208
SCADA
Industrial Control Systems
Denial of Service SCADA Data Leakage Vulnerabilities Infrastructure Advisory ICS-CERT Industrial Control Systems WAGO I/O 750
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked