Multiple Vulnerabilities In Wago 852 Industrial Managed Switch Series

Title

Multiple vulnerabilities

Product

WAGO 852 Industrial Managed Switch Series

Vulnerable Version

852-303: <v1.2.2.S0, 852-1305: <v1.1.6.S0, 852-1505: <v1.1.5.S0

Fixed Version

852-303: v1.2.2.S0, 852-1305: v1.1.6.S0, 852-1505: v1.1.5.S0

CVE Number

CVE-2019-12550, CVE-2019-12549

Impact

high

Found

08.03.2019

By

T. Weber (Office Vienna) | IoT Inspector | SEC Consult Vulnerability Lab

The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities resulting from old software components embedded in the firmware. Hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.

Vendor Description

“New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging,  transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®.”

Source: http://www.wago.us/wago

 

Business Recommendation

SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues.

 

Vulnerability Overview/Description

The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.

1) Known BusyBox Vulnerabilities

The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime.

2) Known GNU glibc Vulnerabilities

The used GNU glibc in version 2.8 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-0235, “GHOST”) was verified by using the MEDUSA scaleable firmware runtime.

3) Hardcoded Credentials (CVE-2019-12550)

The device contains hardcoded users and passwords which can be used to login via SSH and Telnet.

4) Embedded Private Keys (CVE-2019-12549)

The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key.

Proof Of Concept

1) Known BusyBox Vulnerabilities

BusyBox version 1.12.0 contains multiple CVEs like:
CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147 and more.

The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device. A file with the name \ectest\n\e]55;test.txt\a was created to trigger the vulnerability.

# ls "pressing " test ]55;test.txt #

2) Known GNU glibc Vulnerabilities

GNU glibc version 2.8 contains multiple CVEs like:
CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more.

The gethostbyname

 buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system.

3) Hardcoded Credentials (CVE-2019-12550)

The following credentials were found in the passwd file of the firmware:

<Password Hash> <Plaintext> <User> <removed> <removed> root No password set for this account [EMPTY PASSWORD] admin

By using these credentials, it’s possible to connect via Telnet and SSH on the emulated device. Example for Telnet:

[root@localhost ~]# telnet 192.168.0.133 Trying 192.168.0.133... Connected to 192.168.0.133. Escape character is '^]'. L2SWITCH login: root Password: ~ #

Example for SSH:

[root@localhost ~]# ssh 192.168.0.133 root@192.168.0.133's password: ~ #

4) Embedded Private Keys (CVE-2019-12549)

The following host key fingerprint is shown by accessing the SSH daemon on the emulated device:

[root@localhost ~]# ssh 192.168.0.133 The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established. RSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. RSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2.

This matches the embedded private key (which has been removed from this advisory):
SSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2

Vulnerable / Tested Versions

According to the vendor, the following versions are affected:

  • 852-303: <v1.2.2.S0
  • 852-1305: <v1.1.6.S0
  • 852-1505: <v1.1.5.S0

Vendor Contact Timeline

2019-03-12 Contacting VDE CERT through info@cert.vde.com, received confirmation.
2019-03-26 Asking for a status update, VDE CERT is still waiting for details.
2019-03-28 VDE CERT requests information from WAGO again.
2019-04-09 Asking for a status update.
2019-04-11 VDE CERT: patched firmware release planned for end of May, requested postponement of advisory release.
2019-04-16 VDE CERT: update regarding affected firmware versions.
2019-04-24 Confirming advisory release for beginning of June.
2019-05-20 Asking for a status update.
2019-05-22 VDE CERT: no news from WAGO yet, 5th June release date.
2019-05-29 Asking for a status update.
2019-05-29 VDE CERT: detailed answer from WAGO, patches will be published on 7th June, SEC Consult proposes new advisory release date for 12th June.
2019-06-07 VDE CERT provides security advisory information from WAGO; WAGO releases security patches.
2019-06-12 Coordinated release of security advisory.

Solution

The vendor provides patches to their customers. The following versions fix the issues:

  • 852-303: v1.2.2.S0
  • 852-1305: v1.1.6.S0
  • 852-1505: v1.1.5.S0

According to the vendor, busybox and glibc have been updated and the embedded private keys are being newly generated upon first boot and after a factory reset. The root login via Telnet and SSH has been disabled and the admin account is documented and can be changed by the customer.

Workaround

Restrict network access to the device & SSH server.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Thomas Weber / @2019

Contact

Interested to work with the experts of SEC Consult? Send us your application.

Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.