Full Report
Nozomi Networks Labs identified several security vulnerabilities in the Wago PLC 750-8216/025-001, a programmable logic controller used in... The post Nozomi detects security vulnerabilities in Wago PLC; firmware updated to prevent privilege escalation appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Chained Vulnerabilities in Wago PLC Enable Privilege Escalation via Web Interface
## CVE Details
- CVE ID: CVE-2024-41969, CVE-2024-41971, CVE-2024-41973 (Multiple CVEs mentioned)
- CVSS Score: CVE-2024-41969: 7.1 (High); CVE-2024-41971: 6.5 (Medium); CVE-2024-41972: 4.9 (Low)
- CWE: Broken Access Control (CWE-284), Path Traversal/Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## Affected Systems
- Products: Wago PLC 750-8216/025-001 (and other Wago devices confirmed by Wago) utilizing integrated CODESYS.
- Versions: Specific vulnerable versions were not listed, but the finding applies to versions susceptible to the identified flaws before patching.
- Configurations: Devices with the web interface accessible, typically used for configuration and management by 'user' level accounts.
## Vulnerability Description
A chain of vulnerabilities exists within the Wago PLC 750-8216/025-001, primarily stemming from issues in its web interface and underlying CODESYS integration. The most critical chain involves:
1. **Broken Access Control (CVE-2024-41969):** A low-privileged 'user' can bypass authentication requirements for the CODESYS client via the web interface.
2. **Path Traversal (CVE-2024-41971/CVE-2024-41973):** Once authenticated (or authentication is bypassed), an attacker can utilize path traversal flaws in the engineering application to upload and execute arbitrary code.
3. **Arbitrary Code Execution (Implied by Chained Exploitation):** The culmination of these flaws allows an attacker to execute code with root privileges, gaining full administrative control over the PLC.
Other vulnerabilities identified include unauthorized access to diagnostic data and the ability to delete or read arbitrary files on the system.
## Exploitation
- Status: PoC available (Implied by researchers detailing the chain); Not explicitly stated as exploited in the wild, but the potential for chaining suggests high risk.
- Complexity: Low to Medium (Requires authentication as a low-privileged user, but the chain facilitates privilege escalation).
- Attack Vector: Adjacent (Via the accessible web interface or CODESYS client connection).
## Impact
- Confidentiality: High (Arbitrary file reading, access to sensitive data)
- Integrity: High (Ability to upload and execute code, alter system configurations)
- Availability: Critical (Ability to disrupt processes, cause system shutdowns or damage to physical infrastructure)
## Remediation
### Patches
- Wago has released new firmware for each vulnerable device to resolve these security issues. Users should consult the vendor advisory for specific firmware versions addressing CVE-2024-41969, CVE-2024-41971, CVE-2024-41973, and related IDs.
### Workarounds
- Restrict network access to the PLC's web interface and CODESYS client ports to only trusted internal network segments or jump boxes.
- Strongly enforce least-privilege principles for all management accounts.
## Detection
- Indicators of compromise: Unusual file modifications or deletions within the PLC file system structure, unexpected connectivity attempts to the CODESYS port from unauthorized IPs, or changes in system configuration settings without documented maintenance activity.
- Detection methods and tools: Monitor firewall and IDS/IPS logs for unusual traffic patterns targeting the PLC management ports (typically HTTP/HTTPS for the web interface and potentially vendor-specific ports for CODESYS). Use OT-specific security tools to monitor command execution and file integrity on the PLC.
## References
- Vendor Advisories: Wago Advisory (Search for the specific advisory related to Nozomi findings on PLC 750-8216/025-001 firmware updates)
- Relevant links: nozominetworks com/blog/vulnerabilities-in-wago-plcs