{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "tracking": { "generator": { "date": "2024-10-18T12:22:49.381Z", "engine": { "version": "2.5.13", "name": "Secvisogram" } }, "current_release_date": "2025-05-14T13:00:15.000Z", "id": "VDE-2020-036", "initial_release_date": "2021-06-29T10:00:00.000Z", "status": "final", "version": "5", "aliases": [ "VDE-2020-036" ], "revision_history": [ { "summary": "Initial revision.", "date": "2021-06-29T10:00:00.000Z", "number": "1" }, { "date": "2024-11-06T11:27:01.000Z", "number": "2", "summary": "Fix: added self-reference" }, { "date": "2025-02-12T16:48:47.000Z", "number": "3", "summary": "Fix: corrected self-reference, fixed version" }, { "date": "2025-04-10T13:00:00.000Z", "number": "4", "summary": "Fixed csaf publisher information" }, { "number": "5", "summary": "Fix: added distribution", "date": "2025-05-14T13:00:15.000Z" } ] }, "lang": "en-GB", "title": "WAGO: Multiple Vulnerabilities in I/O-Check Service", "acknowledgments": [ { "organization": "Claroty", "names": [ "Uri Katz" ], "summary": "reported" }, { "summary": "coordination", "organization": "CERT@VDE" } ], "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "notes": [ { "title": "Summary", "category": "summary", "text": "Multiple vulnerabilities in the WAGO I/O-Check Service were reported." }, { "title": "Impact", "category": "description", "text": "By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device." }, { "title": "Mitigation", "category": "description", "text": "- Disable I/O-Check service\n- Restrict network access to the device.\n- Do not directly connect the device to the internet." }, { "title": "Solution", "category": "description", "text": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.\nRegardless to the action described above, the vulnerability has been fixed in FW18Patch3, released in June 2021.\nWe recommend all affected users to update to the latest firmware version." } ], "publisher": { "category": "vendor", "name": "WAGO GmbH & Co. KG", "contact_details": "psirt@wago.com", "namespace": "https://www.wago.com/psirt" }, "references": [ { "summary": "CERT@VDE Security Advisories for Wago", "url": "https://certvde.com/de/advisories/vendor/wago/", "category": "external" }, { "url": "https://certvde.com/de/advisories/VDE-2020-036/", "summary": "VDE-2020-036: WAGO: Multiple Vulnerabilities in I/O-Check Service - HTML", "category": "self" }, { "summary": "VDE-2020-036: WAGO: Multiple Vulnerabilities in I/O-Check Service - CSAF", "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2020-036.json", "category": "self" } ] }, "product_tree": { "branches": [ { "category": "vendor", "name": "Wago", "branches": [ { "name": "Hardware", "category": "product_family", "branches": [ { "category": "product_name", "name": "Touch Panel 600", "product": { "product_identification_helper": { "model_numbers": [ "762-6xxx", "762-5xxx", "762-4xxx" ] }, "name": "Hardware Touch Panel 600", "product_id": "CSAFPID-11001" } }, { "name": "Edge Controller", "category": "product_name", "product": { "product_identification_helper": { "model_numbers": [ "752-8303/8000-0002" ] }, "name": "Hardware Edge Controller", "product_id": "CSAFPID-11002" } }, { "product": { "product_identification_helper": { "model_numbers": [ "750-82xx/xxx-xxx" ] }, "name": "Hardware PFC200", "product_id": "CSAFPID-11003" }, "name": "PFC200", "category": "product_name" }, { "name": "PFC 100", "category": "product_name", "product": { "product_identification_helper": { "model_numbers": [ "750-81xx/xxx-xxx" ] }, "name": "Hardware PFC 100", "product_id": "CSAFPID-11004" } } ] }, { "category": "product_family", "name": "Firmware", "branches": [ { "category": "product_version_range", "name": "<=FW18Patch2", "product": { "name": "Firmware <=FW18Patch2", "product_id": "CSAFPID-21001" } }, { "category": "product_version", "name": "FW18Patch3", "product": { "name": "Firmware FW18Patch3", "product_id": "CSAFPID-22001" } } ] } ] } ], "relationships": [ { "category": "installed_on", "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11001", "full_product_name": { "name": "Firmware <=FW18Patch2 installed on Hardware Touch Panel 600", "product_id": "CSAFPID-31001" } }, { "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11002", "category": "installed_on", "full_product_name": { "name": "Firmware <=FW18Patch2 installed on Hardware Edge Controller", "product_id": "CSAFPID-31002" } }, { "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11003", "category": "installed_on", "full_product_name": { "name": "Firmware <=FW18Patch2 installed on Hardware PFC200", "product_id": "CSAFPID-31003" } }, { "category": "installed_on", "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11004", "full_product_name": { "name": "Firmware <=FW18Patch2 installed on Hardware PFC 100", "product_id": "CSAFPID-31004" } }, { "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11001", "category": "installed_on", "full_product_name": { "name": "Firmware FW18Patch3 installed on Hardware Touch Panel 600", "product_id": "CSAFPID-32001" } }, { "category": "installed_on", "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11002", "full_product_name": { "name": "Firmware FW18Patch3 installed on Hardware Edge Controller", "product_id": "CSAFPID-32002" } }, { "category": "installed_on", "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11003", "full_product_name": { "name": "Firmware FW18Patch3 installed on Hardware PFC200", "product_id": "CSAFPID-32003" } }, { "category": "installed_on", "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11004", "full_product_name": { "name": "Firmware FW18Patch3 installed on Hardware PFC 100", "product_id": "CSAFPID-32004" } } ], "product_groups": [ { "group_id": "CSAFGID-0001", "summary": "Affected products.", "product_ids": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, { "group_id": "CSAFGID-0002", "summary": "Fixed products.", "product_ids": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ] } ] }, "vulnerabilities": [ { "cve": "CVE-2021-34569", "title": "CVE-2021-34569", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "title": "Vulnerability Description", "category": "description", "text": "In WAGO I/O-Check Service in multiple products an attacker can send a specially crafted packet containing OS commands to crash the diagnostic tool and write memory." } ], "remediations": [ { "category": "mitigation", "details": "- Disable I/O-Check service\n- Restrict network access to the device.\n- Do not directly connect the device to the internet.", "group_ids": [ "CSAFGID-0001" ] }, { "category": "vendor_fix", "details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.\nRegardless to the action described above, the vulnerability has been fixed in FW18Patch3, released in June 2021.\nWe recommend all affected users to update to the latest firmware version.", "group_ids": [ "CSAFGID-0001" ] } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ] }, { "cve": "CVE-2021-34566", "title": "CVE-2021-34566", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" }, "notes": [ { "title": "Vulnerability Description", "category": "description", "text": "In WAGO I/O-Check Service in multiple products an unauthenticated remote attacker can send a specially crafted packet containing OS commands to crash the iocheck process and write memory resulting in loss of integrity and DoS." } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "details": "- Disable I/O-Check service\n- Restrict network access to the device.\n- Do not directly connect the device to the internet.", "category": "mitigation", "group_ids": [ "CSAFGID-0001" ] }, { "category": "vendor_fix", "details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.\nRegardless to the action described above, the vulnerability has been fixed in FW18Patch3, released in June 2021.\nWe recommend all affected users to update to the latest firmware version.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "temporalScore": 9.1, "temporalSeverity": "CRITICAL", "environmentalScore": 9.1, "environmentalSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ] }, { "cve": "CVE-2021-34567", "title": "CVE-2021-34567", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "title": "Vulnerability Description", "category": "description", "text": "In WAGO I/O-Check Service in multiple products an unauthenticated remote attacker can send a specially crafted packet containing OS commands to provoke a denial of service and an limited out-of-bounds read." } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "category": "mitigation", "details": "- Disable I/O-Check service\n- Restrict network access to the device.\n- Do not directly connect the device to the internet.", "group_ids": [ "CSAFGID-0001" ] }, { "category": "vendor_fix", "details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.\nRegardless to the action described above, the vulnerability has been fixed in FW18Patch3, released in June 2021.\nWe recommend all affected users to update to the latest firmware version.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "temporalScore": 8.2, "temporalSeverity": "HIGH", "environmentalScore": 8.2, "environmentalSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ] }, { "cve": "CVE-2021-34568", "title": "CVE-2021-34568", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "title": "Vulnerability Description", "category": "description", "text": "In WAGO I/O-Check Service in multiple products an unauthenticated remote attacker can send a specially crafted packet containing OS commands to provoke a denial of service." } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003", "CSAFPID-32004" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "details": "- Disable I/O-Check service\n- Restrict network access to the device.\n- Do not directly connect the device to the internet.", "category": "mitigation", "group_ids": [ "CSAFGID-0001" ] }, { "details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.\nRegardless to the action described above, the vulnerability has been fixed in FW18Patch3, released in June 2021.\nWe recommend all affected users to update to the latest firmware version.", "category": "vendor_fix", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "temporalScore": 7.5, "temporalSeverity": "HIGH", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ] } ] }