VDE-2020-045

Vulnerability from csaf_wagogmbhcokg - Published: 2020-12-17 09:02 - Updated: 2025-05-14 12:53
Summary
WAGO: Command Injection Vulnerability in I/O-Check Service of multiple products
Notes
Summary: The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets.
Impact: By exploiting the described vulnerabilities the attacker potentially is able to manipulate or disrupt the device.
Mitigation: * Disable I/O-Check service * Restrict network access to the device. * Do not directly connect the device to the internet.
Remediation: The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities. Regardless to the action described above, the vulnerability has been fixed in FW11, released in December 2017.
CVE-2020-12522

The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), Series Wago Touch Panel 600 Marine Line (762-6xxx) with firmware versions <=FW10.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Mitigation * Disable I/O-Check service * Restrict network access to the device. * Do not directly connect the device to the internet.
Vendor Fix The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities. Regardless to the action described above, the vulnerability has been fixed in FW11, released in December 2017.
References
Acknowledgments
CERTVDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "By exploiting the described vulnerabilities the attacker potentially is able to manipulate or disrupt the device.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "* Disable I/O-Check service \n* Restrict network access to the device. \n* Do not directly connect the device to the internet.\n",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\n\nRegardless to the action described above, the vulnerability has been fixed in FW11, released in December 2017.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@wago.com",
      "name": "WAGO GmbH \u0026 Co. KG",
      "namespace": "https://www.wago.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "WAGO GmbH \u0026 Co. KG",
        "url": "https://www.wago.com/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories",
        "url": "https://certvde.com/en/advisories/vendor/wago/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-045: WAGO: Command Injection Vulnerability in I/O-Check Service of multiple products - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2020-045/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-045: WAGO: Command Injection Vulnerability in I/O-Check Service of multiple products - CSAF",
        "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-045.json"
      }
    ],
    "title": "WAGO: Command Injection Vulnerability in I/O-Check Service of multiple products",
    "tracking": {
      "aliases": [
        "VDE-2020-045"
      ],
      "current_release_date": "2025-05-14T12:53:43.000Z",
      "generator": {
        "date": "2020-12-17T09:02:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.11"
        }
      },
      "id": "VDE-2020-045",
      "initial_release_date": "2020-12-17T09:02:00.000Z",
      "revision_history": [
        {
          "date": "2020-12-17T09:02:00.000Z",
          "number": "1",
          "summary": "initial revision"
        },
        {
          "date": "2024-11-06T11:27:01.000Z",
          "number": "2",
          "summary": "Fix: added self-reference"
        },
        {
          "date": "2025-05-14T12:53:43.000Z",
          "number": "3",
          "summary": "Fix: version space, added distribution"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "750-81xx/xxx-xxx",
                "product": {
                  "name": "750-81xx/xxx-xxx",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "750-81xx/xxx-xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "750-82xx/xxx-xxx",
                "product": {
                  "name": "750-82xx/xxx-xxx",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "750-82xx/xxx-xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "762-4xxx",
                "product": {
                  "name": "762-4xxx",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "762-4xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "762-5xxx",
                "product": {
                  "name": "762-5xxx",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "762-5xxx"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "762-6xxx",
                "product": {
                  "name": "762-6xxx",
                  "product_id": "CSAFPID-11005",
                  "product_identification_helper": {
                    "model_numbers": [
                      "762-6xxx"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=FW10",
                "product": {
                  "name": "Firmware WAGO GmbH \u0026 Co. KG \u003c=FW10",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "FW11",
                "product": {
                  "name": "Firmware WAGO GmbH \u0026 Co. KG FW11",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "WAGO GmbH \u0026 Co. KG"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ],
        "summary": "Affected Products"
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005"
        ],
        "summary": "Fixed Products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG \u003c=FW10 installed on 750-81xx/xxx-xxx",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG FW11 installed on 750-81xx/xxx-xxx",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG \u003c=FW10 installed on 750-82xx/xxx-xxx",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG FW11 installed on 750-82xx/xxx-xxx",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG \u003c=FW10 installed on 762-4xxx",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG FW11 installed on 762-4xxx",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG \u003c=FW10 installed on 762-5xxx",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG FW11 installed on 762-5xxx",
          "product_id": "CSAFPID-32004"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG \u003c=FW10 installed on 762-6xxx",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware WAGO GmbH \u0026 Co. KG FW11 installed on 762-6xxx",
          "product_id": "CSAFPID-32005"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11005"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12522",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), Series Wago Touch Panel 600 Marine Line (762-6xxx) with firmware versions \u003c=FW10.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "* Disable I/O-Check service \n* Restrict network access to the device. \n* Do not directly connect the device to the internet.\n",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\n\nRegardless to the action described above, the vulnerability has been fixed in FW11, released in December 2017.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005"
          ]
        }
      ],
      "title": "CVE-2020-12522"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.