SEC Consult SA-20140710-3 :: Design Issue / Password Disclosure
--n3ceQS6dWebwVcSajnX8tCkXht80uukfE
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
SEC Consult Vulnerability Lab Security Advisory < 20140710-3 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
title: Design Issue / Password Disclosure
product: All WAGO-I/O-SYSTEMs which provide a CODESYS V2.3 We=
bVisu
vulnerable version: Systems which are programmable with <=3D CODESYS V2.=
3.9.44
fixed version: -
impact: critical
homepage: http://global.wago.com/en/products/product-catalog/
components-automation/overview/index.jsp
found: 2014-04-10
by: C. Kudera, S. Riegler
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Vendor description:
-------------------
"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for
decentralized automation tasks. With the relay, function and interface
modules, as well as overvoltage protection, WAGO provides a suitable inte=
rface
for any application."
Source: http://global.wago.com/en/products/product-catalog/
components-automation/overview/index.jsp
Business recommendation:
------------------------
The WAGO-I/O-SYSTEM WebVisu can be used to control the components which a=
re
connected to the WAGO Controller. For example the WAGO controller could b=
e used
to steer a pump in a hydroelectric plant. If an attacker can access the W=
ebVisu
he may destroy the pump through wrong or extreme steering configurations.=
The WebVisu can be configured to use password authentication, so the acce=
ss
to controlling or steering functionality is only possible with authentica=
tion.
The vulnerability described in this advisory enables an attacker to extra=
ct all
the configured passwords without authentication. The attacker can use the=
extracted passwords to access the WebVisu and control the system.
Note that this vulnerability is critical since the WAGO Controllers conta=
in an
Ethernet interface, so the controllers may be accessible over the network=
or even
the Internet belonging to the applied network topology.
Vulnerability overview/description:
-----------------------------------
The WAGO-I/O-SYSTEM runs a web server where the configuration of the cont=
roller
is possible. Additionally a Java Applet (called WebVisu) can be stored on=
the web
server. It can be created with the CODESYS programming system. The target=
of the
WebVisu module is to provide the user a graphical opportunity to control =
the
components which are connected to the controller. Normally the WebVisu, i=
f
deployed, is accessible without authentication.
CODESYS offers the possibility of role based access control (working grou=
p 0 to
7). Each object (e.g. button, slider, ...) stores the information which w=
orking
group can access, read or change it. After the WebVisu initialization the=
user
has working group 0 authorization.
In the CODESYS programming system it's possible to create a button which
executes the program "INTERN CHANGEUSERLEVEL", which shows the user a dia=
log
with the title "Change user level". In the dialog he can select the user =
level
and must enter a password. If the password is correct the current user le=
vel is
set to the new user level.
Through the vulnerability an attacker can extract the password for every =
user
level without authentication. Hence he can access every functionality, th=
e
developer of the WebVisu has configured.
Proof of concept:
-----------------
Hence WAGO didn't react and the vulnerability was not fixed, no proof of =
concept
is provided in this advisory.
Vulnerable / tested versions:
-----------------------------
The controller tested was WAGO-Application Controller 750-884.
Vendor contact timeline:
------------------------
2014-05-13: Contacted vendor through info@wago.com, requesting encryption=
keys
and attaching responsible disclosure policy (no answer)
2014-06-03: Contacted vendor again through info@wago.com, requesting encr=
yption
keys and attaching responsible disclosure policy (no answer)
2014-07-10: SEC Consult releases security advisory
Solution:
---------
Hence WAGO didn't react, no solution can be provided. See the workaround =
section
for a workaround.
Workaround:
-----------
Delete the webvisu.jar file in the plc directory via ftp, telnet or ssh.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF C. Kudera / @2014
--n3ceQS6dWebwVcSajnX8tCkXht80uukfE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJTvmb4AAoJECyFJyAEdlkKXdoH/i3VuE6jjMEkcuhi6jonrQ6Z
1mLFFCR5n8OMj4sL2Yuj57ISBrDultA4GpmYy5gEW1JrXMWbUHMXpedUSmifasXf
+pS6j7C3YjLxVudaJIPFMoMzqq2k/z/Zovs0Mugp5z6I57ajkfJjdH93fWp4gBR+
FSljcpV6G+P/AQyLDG5wKz24eQ6KqAC1w00WuAi4KnWTpqjg9/UnnAHrIFHKNHHj
PC4lSKMxh+VIdVO+N7OFItMKgfKUuAldtsrznr1lF6bNUpLCJGOx2YUmCXdEeXEg
Rtc6a1aCxzIAzmxZ4ihyPK8TGIZQPlni1ttn34DRVs8WtAprcx0eEyPzyHTpH/o=
=Pu7D
-----END PGP SIGNATURE-----
--n3ceQS6dWebwVcSajnX8tCkXht80uukfE--