All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This Alert Update is a follow-up to the original ICS-CERT Alert titled ICS-ALERT-12-020-07—WAGO I/O 750 Multiple Vulnerabilities that was published January 20, 2012, on the ICS-CERT Web page.
--------- Begin Update A Part 1 of 2 --------
The reported vulnerabilities from DSecRG have been coordinated with WAGO. WAGO has determined that the vulnerabilities can be mitigated by adjusting system configurations of services not in use.
WAGO has released a customer cybersecurity notification on best security practicesa for its products.
--------- End Update A Part 1 of 2 ----------
ICS-CERT is aware of a public report of multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the WAGO I/O System 750, a controller product. According to the Wego website, the Wego I/O System 750 is used in the industrial automation, building automation, marine automation, and on and offshore applications. These reports were released by Digital Security Research Group (DSecRG) without coordination with either the vendor or ICS-CERT.
ICS-CERT has notified WAGO of this report and has asked the vendor to confirm the vulnerability and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
The report included vulnerability details and PoC exploit code for the following vulnerabilities:
|Data leakage||Remote||Download firmware|
|Data leakage||Remote||Data leakage|
|Unauthorized access||Remote||Denial of service / loss of system integrity|
Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.
ICS-CERT has coordinated with WAGO and the security researcher to identify mitigations. WAGO has determined that the reported vulnerabilities can be mitigated through system configuration.
--------- Begin Update A Part 2 of 2 --------
Data Leakage Resulting in a Download of Firmware
In Section 10.4 of the WAGO I/O 750-841 User’s Manual, Ports 44818/TCP and 2222/UDP can be disabled, thereby disabling the Web Based Management system preventing the download of firmware. WAGO recommends that these ports remain disabled when not being actively used. Section 220.127.116.11 recommends installing controllers behind firewalls.
Data Leakage Resulting in a Download of Confidentiality
In Section 10.4 of the WAGO I/O 750-841 User’s Manual, Port 80/TCP can be disabled, thereby disabling the Web Based Management system. WAGO recommends that these ports remain disabled when not being actively used. Section 18.104.22.168 recommends using controllers behind firewalls.
Unauthorized Access Resulting In A Denial of Service or Loss of System Integrity
The 750-841 provides a Web Server Authentication function. By default, this function is enabled, but it may be disabled. If enabled, the previous password must first be entered before the password can be changed. If disabled, the password may be changed without first entering the previous password. WAGO recommends this function remain enabled. A description of the Web Server Authentication can be found in Section 10.8 of the WAGO I/O 750-841 User’s Manual.
These features can be found in the WAGO I/O 750-841 User’s Manual.
--------- End Update A Part 2 of 2 ----------
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.b
- Locate control system networks and devices behind firewalls, and isolate them from the business
- If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs),
recognizing that VPN is only as secure as the connected devices.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.