Positive Technologies Identifies Vulnerabilities in WAGO Industrial Controller
June 2021 by Positive Technologies
Positive Technologies experts Vyacheslav Moskvin and Sergey Fedonin have revealed two vulnerabilities in the firmware of the WAGO 750-8207 industrial controller, one of critical severity. The 750 series controllers are used for building automation for renewable energy sources at numerous installations: transformer stations and other power distribution facilities, in the petrochemical industry, water supply and other public utilities, shipbuilding, marine and coastal structures, for mechanical engineering, and other fields. The manufacturer has released security updates and recommendations on ways to reduce the risk.
Vulnerability CVE-2021-21001 is in the CODESYS 2.3 runtime component that is part of the WAGO controller firmware. Exploitation of this vulnerability requires authorization and network access to the controller.
“WAGO gave this vulnerability a CVSS 3.0 score of 9.1,” said Vladimir Nazarov, Head of ICS Security, Positive Technologies. “By exploiting this vulnerability, attackers can access the controller file system with read and write rights. Changes in the PLC file system may cause disruption of technological processes and even lead to industrial accidents.”
The second vulnerability, CVE-2021-21000 (CVSS 3.0 score of 5.3), was found in the iocheckd service developed by WAGO. It is designed to check the inputs and outputs of the PLC, as well as to display the PLC configuration. To exploit the vulnerability, no authorization is required—it’s enough to have network access. Exploitation may cause a sudden shutdown of the controller, and in turn interrupt technological processes.
To fix the vulnerability, organizations are advised to follow the recommendations in WAGO’s notice. The exploitation of this error (for example, if an update cannot be installed) can be detected using solutions for continuous information security monitoring and ICS incident management, such as PT Industrial Security Incident Manager.