It wasn’t that long ago when a report came out saying there was a “hard-coded” credentials and improper access controls vulnerability in the WAGO I/O System 758 product line.
This report came out without coordination with ICS-CERT or with the vendor. After further research, there is, in fact, a problem with improper authentication, but it is with a third-party vendor and not WAGO. The problem exists, but the company is different.
The improper authentication vulnerability is in multiple WAGO products.
So now, ICS-CERT is coordinating this vulnerability with 3-S Smart Software Solutions, the third-party supplier.
WAGO confirmed its I/O System 758 products use default operating system credentials. These credentials ended up disclosed, but WAGO provided no information on how to change the default passwords. WAGO released a procedure with additional documentation on how to change the default operating system passwords in Models 758-874, 758-875, and 758-876. WAGO also released a best security practices document that makes recommendations on how to best secure its industrial control system (ICS) products.
These vulnerabilities are exploitable remotely and proof-of-concept (PoC) exploits are known to exist.
The following WAGO products suffer from the issue:
• I/O System 758, Model 758-870,
• I/O System 758, Model 758-874,
• I/O System 758, Model 758-875, and
• I/O System 758, Model 758-876.
Attackers are able to exploit these vulnerabilities by using the default credentials to gain unauthorized administrative access to the systems.
WAGO is an international company based in Germany and they operate production facilities in Germany, Switzerland, Poland, China, and India. WAGO maintains offices worldwide.
According to WAGO, its products deploy across several sectors including manufacturing, building automation, electric generation, transportation, and others.
The operating system software of the WAGO I/O System 758 product line uses three user accounts with default passwords and no method to change these passwords. An attacker could use the default password to gain administrative control through the Telnet service of the system leading to a loss of integrity, loss of confidentiality, or loss of availability. CVE-2012-3013 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
WAGO IPCs offer the 3-S Smart Software Solutions CoDeSys runtime to program the IPC similar to a programmable logic controller. The CoDeSys software allows unauthenticated connections to the server to run arbitrary commands. This could allow possible remote code execution. A separate advisory with a CVE number and CVSS score for this vulnerability will come out as more information becomes available.
WAGO developed a procedure for the I/O System 758, Models 758-874, 758-875, and 758-876 that allows users to change passwords for their default operating system accounts.
The WAGO Security Settings Application Note discusses changing the Web-based Management passwords as well as the Linux console passwords and list security recommendations for their customers.
This procedure does not provide instructions to change the default passwords on the I/O System 758, Model 758-870 as the company is not longer making it. WAGO released a cyber security notification to its customers that details the best security settings and practices for its ICS products.