SEC Consult Vulnerability Lab Security Advisory < 20140710-3 >
title: Design Issue / Password Disclosure
product: All WAGO-I/O-SYSTEMs which provide a CODESYS V2.3 WebVisu
vulnerable version: Systems which are programmable with <= CODESYS V220.127.116.11
fixed version: -
by: C. Kudera, S. Riegler
SEC Consult Vulnerability Lab
"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for
decentralized automation tasks. With the relay, function and interface
modules, as well as overvoltage protection, WAGO provides a suitable interface
for any application."
The WAGO-I/O-SYSTEM WebVisu can be used to control the components which are
connected to the WAGO Controller. For example the WAGO controller could be used
to steer a pump in a hydroelectric plant. If an attacker can access the WebVisu
he may destroy the pump through wrong or extreme steering configurations.
The WebVisu can be configured to use password authentication, so the access
to controlling or steering functionality is only possible with authentication.
The vulnerability described in this advisory enables an attacker to extract all
the configured passwords without authentication. The attacker can use the
extracted passwords to access the WebVisu and control the system.
Note that this vulnerability is critical since the WAGO Controllers contain an
Ethernet interface, so the controllers may be accessible over the network or even
the Internet belonging to the applied network topology.
The WAGO-I/O-SYSTEM runs a web server where the configuration of the controller
is possible. Additionally a Java Applet (called WebVisu) can be stored on the web
server. It can be created with the CODESYS programming system. The target of the
WebVisu module is to provide the user a graphical opportunity to control the
components which are connected to the controller. Normally the WebVisu, if
deployed, is accessible without authentication.
CODESYS offers the possibility of role based access control (working group 0 to
7). Each object (e.g. button, slider, ...) stores the information which working
group can access, read or change it. After the WebVisu initialization the user
has working group 0 authorization.
In the CODESYS programming system it's possible to create a button which
executes the program "INTERN CHANGEUSERLEVEL", which shows the user a dialog
with the title "Change user level". In the dialog he can select the user level
and must enter a password. If the password is correct the current user level is
set to the new user level.
Through the vulnerability an attacker can extract the password for every user
level without authentication. Hence he can access every functionality, the
developer of the WebVisu has configured.
Proof of concept:
Hence WAGO didn't react and the vulnerability was not fixed, no proof of concept
is provided in this advisory.
Vulnerable / tested versions:
The controller tested was WAGO-Application Controller 750-884.
Vendor contact timeline:
2014-05-13: Contacted vendor through firstname.lastname@example.org, requesting encryption keys
and attaching responsible disclosure policy (no answer)
2014-06-03: Contacted vendor again through email@example.com, requesting encryption
keys and attaching responsible disclosure policy (no answer)
2014-07-10: SEC Consult releases security advisory
Hence WAGO didn't react, no solution can be provided. See the workaround section
for a workaround.
Delete the webvisu.jar file in the plc directory via ftp, telnet or ssh.
SEC Consult Vulnerability Lab
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
EOF C. Kudera / @2014