Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

Project Description

The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities resulting from old software components embedded in the firmware. Hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.


Vendor description

“New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging,  transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®.”

Source: http://www.wago.us/wago

 

Business recommendation

SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues.

 

Vulnerability overview/description

The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.

1) Known BusyBox Vulnerabilities

The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime.

2) Known GNU glibc Vulnerabilities

The used GNU glibc in version 2.8 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-0235, “GHOST”) was verified by using the MEDUSA scaleable firmware runtime.

3) Hardcoded Credentials (CVE-2019-12550)

The device contains hardcoded users and passwords which can be used to login via SSH and Telnet.

4) Embedded Private Keys (CVE-2019-12549)

The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key.

Proof of concept

1) Known BusyBox Vulnerabilities

BusyBox version 1.12.0 contains multiple CVEs like:
CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147 and more.

The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device. A file with the name \ectest\n\e]55;test.txt\a was created to trigger the vulnerability.

# ls "pressing "
test
]55;test.txt 
#

2) Known GNU glibc Vulnerabilities

GNU glibc version 2.8 contains multiple CVEs like:
CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more.

The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system.

3) Hardcoded Credentials (CVE-2019-12550)

The following credentials were found in the passwd file of the firmware:

                           
<Password Hash>                    <Plaintext>      <User>
<removed>                          <removed>         root
No password set for this account   [EMPTY PASSWORD]  admin

By using these credentials, it’s possible to connect via Telnet and SSH on the emulated device. Example for Telnet:

[root@localhost ~]# telnet 192.168.0.133
Trying 192.168.0.133...
Connected to 192.168.0.133.
Escape character is '^]'.

L2SWITCH login: root
Password: 
~ # 

Example for SSH:

[root@localhost ~]# ssh 192.168.0.133
root@192.168.0.133's password: 
~ # 

4) Embedded Private Keys (CVE-2019-12549)

The following host key fingerprint is shown by accessing the SSH daemon on the emulated device:

[root@localhost ~]# ssh 192.168.0.133
The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established.
RSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso.
RSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2.

This matches the embedded private key (which has been removed from this advisory):
SSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2

Vulnerable / tested versions

According to the vendor, the following versions are affected:

  • 852-303: <v1.2.2.S0
  • 852-1305: <v1.1.6.S0
  • 852-1505: <v1.1.5.S0

Vendor contact timeline

2019-03-12Contacting VDE CERT through info@cert.vde.com, received confirmation.
2019-03-26Asking for a status update, VDE CERT is still waiting for details.
2019-03-28VDE CERT requests information from WAGO again.
2019-04-09Asking for a status update.
2019-04-11VDE CERT: patched firmware release planned for end of May, requested postponement of advisory release.
2019-04-16VDE CERT: update regarding affected firmware versions.
2019-04-24Confirming advisory release for beginning of June.
2019-05-20Asking for a status update.
2019-05-22VDE CERT: no news from WAGO yet, 5th June release date.
2019-05-29Asking for a status update.
2019-05-29VDE CERT: detailed answer from WAGO, patches will be published on 7th June, SEC Consult proposes new advisory release date for 12th June.
2019-06-07VDE CERT provides security advisory information from WAGO; WAGO releases security patches.
2019-06-12Coordinated release of security advisory.

Solution

The vendor provides patches to their customers. The following versions fix the issues:

  • 852-303: v1.2.2.S0
  • 852-1305: v1.1.6.S0
  • 852-1505: v1.1.5.S0

According to the vendor, busybox and glibc have been updated and the embedded private keys are being newly generated upon first boot and after a factory reset. The root login via Telnet and SSH has been disabled and the admin account is documented and can be changed by the customer.

Workaround

Restrict network access to the device & SSH server.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Thomas Weber / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleMultiple vulnerabilities
  • ProductWAGO 852 Industrial Managed Switch Series
  • Vulnerable version852-303: <v1.2.2.S0, 852-1305: <v1.1.6.S0, 852-1505: <v1.1.5.S0
  • Fixed version852-303: v1.2.2.S0, 852-1305: v1.1.6.S0, 852-1505: v1.1.5.S0
  • CVE numberCVE-2019-12550, CVE-2019-12549
  • Impacthigh
  • Homepagehttps://www.wago.com
  • Found2019-03-08
  • ByT. Weber (Office Vienna) | IoT Inspector | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back