Design Issue / Password Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20140710-3 >

=======================================================================

title: Design Issue / Password Disclosure

product: All WAGO-I/O-SYSTEMs which provide a CODESYS V2.3 WebVisu

vulnerable version: Systems which are programmable with <= CODESYS V2.3.9.44

fixed version: -

impact: critical

homepage: global.wago.com/en/products/product-catalog/

components-automation/overview/index.jsp

found: 2014-04-10

by: C. Kudera, S. Riegler

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for

decentralized automation tasks. With the relay, function and interface

modules, as well as overvoltage protection, WAGO provides a suitable interface

for any application."

 

Source: global.wago.com/en/products/product-catalog/

components-automation/overview/index.jsp

 

 

Business recommendation:

------------------------

The WAGO-I/O-SYSTEM WebVisu can be used to control the components which are

connected to the WAGO Controller. For example the WAGO controller could be used

to steer a pump in a hydroelectric plant. If an attacker can access the WebVisu

he may destroy the pump through wrong or extreme steering configurations.

 

The WebVisu can be configured to use password authentication, so the access

to controlling or steering functionality is only possible with authentication.

The vulnerability described in this advisory enables an attacker to extract all

the configured passwords without authentication. The attacker can use the

extracted passwords to access the WebVisu and control the system.

 

Note that this vulnerability is critical since the WAGO Controllers contain an

Ethernet interface, so the controllers may be accessible over the network or even

the Internet belonging to the applied network topology.

 

 

Vulnerability overview/description:

-----------------------------------

The WAGO-I/O-SYSTEM runs a web server where the configuration of the controller

is possible. Additionally a Java Applet (called WebVisu) can be stored on the web

server. It can be created with the CODESYS programming system. The target of the

WebVisu module is to provide the user a graphical opportunity to control the

components which are connected to the controller. Normally the WebVisu, if

deployed, is accessible without authentication.

 

CODESYS offers the possibility of role based access control (working group 0 to

7). Each object (e.g. button, slider, ...) stores the information which working

group can access, read or change it. After the WebVisu initialization the user

has working group 0 authorization.

 

In the CODESYS programming system it's possible to create a button which

executes the program "INTERN CHANGEUSERLEVEL", which shows the user a dialog

with the title "Change user level". In the dialog he can select the user level

and must enter a password. If the password is correct the current user level is

set to the new user level.

 

Through the vulnerability an attacker can extract the password for every user

level without authentication. Hence he can access every functionality, the

developer of the WebVisu has configured.

 

 

Proof of concept:

-----------------

Hence WAGO didn't react and the vulnerability was not fixed, no proof of concept

is provided in this advisory.

 

 

Vulnerable / tested versions:

-----------------------------

The controller tested was WAGO-Application Controller 750-884.

 

 

Vendor contact timeline:

------------------------

2014-05-13: Contacted vendor through info@wago.com, requesting encryption keys

and attaching responsible disclosure policy (no answer)

2014-06-03: Contacted vendor again through info@wago.com, requesting encryption

keys and attaching responsible disclosure policy (no answer)

2014-07-10: SEC Consult releases security advisory

 

 

Solution:

---------

Hence WAGO didn't react, no solution can be provided. See the workaround section

for a workaround.

 

 

Workaround:

-----------

Delete the webvisu.jar file in the plc directory via ftp, telnet or ssh.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF C. Kudera / @2014