High Exposure of Wago Web-Based Management System (WBM) puts Critical Infrastructure (CI) at risk of Cyber-attacks
On February 27, 2023, VDE Cert released a security advisory for Multiple Vulnerabilities in Wago Web-Based Management (WBM) of Multiple Products. The vulnerabilities were reported to WAGO by Ryan Pickren from Georgia Institute of Technology’s Cyber-Physical Security Lab.
WAGO Web-Based Management (WBM) System is a software solution developed by WAGO, a German-based manufacturer of automation technology products. The WBMS allows users to monitor, configure, and control WAGO Programmable Logic Controllers (PLCs) and remote I/O modules through a web browser interface.
The WBM system is designed to provide users with an intuitive and user-friendly interface to manage their automation systems remotely via a web browser. With the WBMS, users can perform various tasks, such as monitoring the status of their automation systems, modifying program parameters, setting up alarms and notifications, and diagnosing faults and errors. The system also supports data logging and trending, allowing users to analyze historical data and identify trends in their automation processes.
As per the security advisory released, there are 4 vulnerabilities in WBM; out of four vulnerabilities, two fall under the Critical Severity Category, and the other two fall under the Medium Severity Category. The details of the vulnerability are given below.
Weakness: Missing Authentication for Critical Function
Summary: Unauthenticated users can use the web-based management’s configuration backend, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device.
Weakness: Missing Authentication for Critical Function
Summary: The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise.
Weakness: Cross-Site Scripting
Summary: The configuration backend of the web-based management is vulnerable to reflected XSS (Cross-Site Scripting) attacks that target the users’ browser. This leads to a limited impact on confidentiality and integrity but no impact on availability.
Weakness: Origin Validation Error
Summary: A CORS Misconfiguration in the web-based management allows a malicious third-party webserver to misuse all basic information pages on the webserver. Combined with CVE-2022-45138, this could lead to the disclosure of device information like CPU diagnostics. The impact only affects a small subset of confidential data, as only a limited amount of information is readable.
The below table provides details about the affected product.
|Article No||Product Name||Affected Version|
|751-9301||Compact Controller CC100||FW16 <= FW22|
|751-9301||Compact Controller CC100||= FW23|
|752-8303/8000-002||Edge Controller||= FW23|
|752-8303/8000-002||Edge Controller||FW18 <= FW22|
|750-81xx/xxx-xxx||PFC100||FW16 <= FW22|
|750-82xx/xxx-xxx||PFC200||FW16 <= FW22|
|762-5xxx||Touch Panel 600 Advanced Line||FW16 <= FW22|
|762-5xxx||Touch Panel 600 Advanced Line||= FW23|
|762-6xxx||Touch Panel 600 Marine Line||FW16 <= FW22|
|762-6xxx||Touch Panel 600 Marine Line||= FW23|
|762-4xxx||Touch Panel 600 Standard Line||FW16 <= FW22|
|762-4xxx||Touch Panel 600 Standard Line||= FW23|
As the severity of the vulnerabilities, CVE-2022-45138 & CVE-2022-45140 fall into the Critical category and can be exploited by Unauthenticated Users. Owners of the affected product should patch the vulnerability with the latest firmware (FW22 Patch 1 or FW 24 or higher) released by the official vendor.
Exposure of Wago Web-Based Management (WBM) Systems
Researchers at Cyble Research and Intelligence Labs (CRIL) observed that there are over 10,000 exposed Wago WBM systems exposed over the internet (via online scanner). The figure below shows the graphical representation of the same. The majority of instances were observed in Germany, Turkey, and Italy.
Note: Exposed Instances do not indicate vulnerable products
Besides using Online scanners for hunting for internet-exposed WBM, Google Dorking can be utilized to find WBM.
Factory Default Credentials
Vendors dealing with Industrial Control System (ICS) assets and State Agencies have continuously recommended that ICS asset owners change factory default credentials and minimize exposure of critical assets via implementing proper network segmentation. Still, the majority of asset owners have not addressed these issues, resulting in a broad range of attack vectors for Threat Actors (TAs).
During the investigation of internet-exposed WBM, the CRIL team observed that most WBM instances were still running on default credentials, as shown in Figure 2 below.
An attacker accessing internet-exposed WBM can gain all information about the enabled runtime system. The PLC program created in the programming software is provided on the “PLC Runtime Information” page, as shown in Figure 3.
Information such as version details, web server details, state, number of tasks, project details, etc., can be crucial for attackers to gain insights into the operations of the Factory/Organisation/Plant.
As shown in the figure below, TA can collect network-related information such as hostname, domain name, TCP/IP config, DNS Server details, etc. Any changes made to network settings will take effect immediately.
An unauthorized attacker can manipulate the firewall settings, such as MAC Address details which can put the entire security posture of the ICS environment at high risk.
One of the major security concerns that can occur in ICS environments is that the controllers stop abruptly, causing physical damage to heavy machinery and engineers working near them.
If a predefined controller process stops or malfunctions, the complete operations at the site might be halted, resulting in operational, monetary, and reputational losses for the organization.
There are multiple functionalities available in WBM, such as firmware updates, password settings, Service Interface settings, backup file settings, etc. which can be corrupted by an attacker, leading to catastrophic damages within ICS Environment.
Hacktivists targeting Wago WBM
Hacktivists worldwide have been targeting internet exposed ICS assets using publicly available scripts, tools, and scanners. CRIL released a blog for the same on July 25, 2022, “Global Hacktivism on Rise”.
In certain attacks, internet-exposed Hacktivist groups also targeted Wago Web-Based Management (WBM) systems. One such example for the same is Operation Khanjar, aka #OpKhanjar, which was launched by Thraxman.
As claimed by TA, this operation targeted Russian factories in Crimea, as shown in the figure below.
Researchers, vendors, and state authorities are actively investigating vulnerabilities and loopholes within ICS environments and assets. If these issues are not addressed by the concerned authority, this may give TAs a broader attack surface to target.
Even though security updates, patches, and alerts are released for asset owners, there is a huge gap in terms of cybersecurity awareness and Skillsets when it comes to Industrial Control Systems (ICS) & Critical Infrastructure (CI) sectors. Various Organisations dealing in the ICS segment lack proper visibility over their critical assets and are unable to implement proper network segmentation. Hence attacks on internet-facing assets are a growing concern and should be treated as a high priority.
With the barrage of new vulnerabilities emerging in ICS components, it is important to understand the impact of vulnerability within the ICS environment. With exploits, scripts, online scanners, and other services readily available for Threat Actors, performing reconnaissance/scanning activities has become more feasible.
Exposure of a high number of Wago WBM and the vulnerabilities discovered within WBM might be actively targeted by various TAs and Hacktivists groups in the near future. As many internet-exposed WBMs are running on factory default credentials, there is a possibility that TAs might distribute/sell the list of IPs along with credentials over the dark web and cybercrime forums.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Keep critical assets behind properly configured and updated firewalls.
- Organizations should follow a strong password policy at all times.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Cyber security awareness training programs for employees within the organization.
This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report or intended to cause any type of damage to the affected parties. The data points and observations are indication of events observed for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.
It is an amalgamation of our collective research on this subject and is not a direct promotion of our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.