Severe Flaws Let Hackers Gain Complete Control of Wago PLCs

Severe Flaws Let Hackers Gain Complete Control of Wago PLCs

Several programmable logic controllers (PLCs) made by German industrial automation solutions company Wago have received updates to fix four vulnerabilities, including one that could be used to gain complete control of the target device. Georgia Institute of Technology’s Cyber-Physical Security Lab’s Ryan Pickren identified the flaws. The researcher discovered the problems as part of a PhD dissertation on industrial control system security (ICS).

Pickren has received substantial rewards from Apple for discovering flaws that might be used to hack into users’ webcams and online accounts. The researcher found various defects in the web-based management interface created for managing, commissioning, and upgrading devices when analyzing Wago PLCs.

An advisory describing the vulnerabilities and providing details on compromised products and versions has been released by Germany’s CERT@VDE. Based on their CVSS score, two of the issues were given a critical severity grade. An unauthenticated attacker can use one of these, a missing authentication flaw listed as CVE-2022-45138, to read and change specific device settings, which can result in a complete controller compromise.

A complete system compromise and arbitrary code execution are also possible outcomes of the second severe flaw, CVE-2022-45140, which enables an unauthenticated attacker to write any data with root privileges. Pickren has also discovered two medium-severity vulnerabilities. One of them may be used to conduct cross-site scripting (XSS) attacks, while the other may result in less harmful exposure of information.

“These bugs can be chained together and weaponized in two different ways: 1) direct network access (I.e. the adversary is within the ICS or is attacking an Internet-facing device) or 2) Via cross-origin web requests (I.e. the adversary lures somebody within the ICS into viewing their malicious website). Neither scenario requires any user-interaction (besides just visiting the site) or permissions. The chain is completely unauthenticated,” said Pickren.

The researcher added that in a real-world attack, a threat actor could take advantage of these flaws to deliberately operate actuators, falsify sensor readings, and disable all safety mechanisms. Pickren stated that these flaws are part of a more significant trend in ICS security that would be extensively discussed in a future scholarly publication.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.

Share: