lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 10 Jul 2014 12:12:08 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: SEC Consult SA-20140710-3 :: Design Issue / Password Disclosure in
 WAGO-I/O-SYSTEM with CODESYS V2.3 WebVisu

SEC Consult Vulnerability Lab Security Advisory < 20140710-3 >
=======================================================================
              title: Design Issue / Password Disclosure
            product: All WAGO-I/O-SYSTEMs which provide a CODESYS V2.3 WebVisu
 vulnerable version: Systems which are programmable with <= CODESYS V2.3.9.44
      fixed version: -
             impact: critical
           homepage: http://global.wago.com/en/products/product-catalog/
                     components-automation/overview/index.jsp
              found: 2014-04-10
                 by: C. Kudera, S. Riegler
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for
decentralized automation tasks. With the relay, function and interface
modules, as well as overvoltage protection, WAGO provides a suitable interface
for any application."

Source: http://global.wago.com/en/products/product-catalog/
        components-automation/overview/index.jsp


Business recommendation:
------------------------
The WAGO-I/O-SYSTEM WebVisu can be used to control the components which are
connected to the WAGO Controller. For example the WAGO controller could be used
to steer a pump in a hydroelectric plant. If an attacker can access the WebVisu
he may destroy the pump through wrong or extreme steering configurations.

The WebVisu can be configured to use password authentication, so the access
to controlling or steering functionality is only possible with authentication.
The vulnerability described in this advisory enables an attacker to extract all
the configured passwords without authentication. The attacker can use the
extracted passwords to access the WebVisu and control the system.

Note that this vulnerability is critical since the WAGO Controllers contain an
Ethernet interface, so the controllers may be accessible over the network or even
the Internet belonging to the applied network topology.


Vulnerability overview/description:
-----------------------------------
The WAGO-I/O-SYSTEM runs a web server where the configuration of the controller
is possible. Additionally a Java Applet (called WebVisu) can be stored on the web
server. It can be created with the CODESYS programming system. The target of the
WebVisu module is to provide the user a graphical opportunity to control the
components which are connected to the controller. Normally the WebVisu, if
deployed, is accessible without authentication.

CODESYS offers the possibility of role based access control (working group 0 to
7). Each object (e.g. button, slider, ...) stores the information which working
group can access, read or change it. After the WebVisu initialization the user
has working group 0 authorization.

In the CODESYS programming system it's possible to create a button which
executes the program "INTERN CHANGEUSERLEVEL", which shows the user a dialog
with the title "Change user level". In the dialog he can select the user level
and must enter a password. If the password is correct the current user level is
set to the new user level.

Through the vulnerability an attacker can extract the password for every user
level without authentication. Hence he can access every functionality, the
developer of the WebVisu has configured.


Proof of concept:
-----------------
Hence WAGO didn't react and the vulnerability was not fixed, no proof of concept
is provided in this advisory.


Vulnerable / tested versions:
-----------------------------
The controller tested was WAGO-Application Controller 750-884.


Vendor contact timeline:
------------------------
2014-05-13: Contacted vendor through info@...o.com, requesting encryption keys
            and attaching responsible disclosure policy (no answer)
2014-06-03: Contacted vendor again through info@...o.com, requesting encryption
            keys and attaching responsible disclosure policy (no answer)
2014-07-10: SEC Consult releases security advisory


Solution:
---------
Hence WAGO didn't react, no solution can be provided. See the workaround section
for a workaround.


Workaround:
-----------
Delete the webvisu.jar file in the plc directory via ftp, telnet or ssh.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF C. Kudera / @2014


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ