SEC Consult Vulnerability Lab Security Advisory < 20140710-3 >
=======================================================================
              title: Design Issue / Password Disclosure
            product: All WAGO-I/O-SYSTEMs which provide a CODESYS V2.3 WebVisu
 vulnerable version: Systems which are programmable with <= CODESYS V2.3.9.44
      fixed version: -
             impact: critical
           homepage: http://global.wago.com/en/products/product-catalog/
                     components-automation/overview/index.jsp
              found: 2014-04-10
                 by: C. Kudera, S. Riegler
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for
decentralized automation tasks. With the relay, function and interface
modules, as well as overvoltage protection, WAGO provides a suitable interface
for any application."

Source: http://global.wago.com/en/products/product-catalog/
        components-automation/overview/index.jsp


Business recommendation:
------------------------
The WAGO-I/O-SYSTEM WebVisu can be used to control the components which are
connected to the WAGO Controller. For example the WAGO controller could be used
to steer a pump in a hydroelectric plant. If an attacker can access the WebVisu
he may destroy the pump through wrong or extreme steering configurations.

The WebVisu can be configured to use password authentication, so the access
to controlling or steering functionality is only possible with authentication.
The vulnerability described in this advisory enables an attacker to extract all
the configured passwords without authentication. The attacker can use the
extracted passwords to access the WebVisu and control the system.

Note that this vulnerability is critical since the WAGO Controllers contain an
Ethernet interface, so the controllers may be accessible over the network or even
the Internet belonging to the applied network topology.


Vulnerability overview/description:
-----------------------------------
The WAGO-I/O-SYSTEM runs a web server where the configuration of the controller
is possible. Additionally a Java Applet (called WebVisu) can be stored on the web
server. It can be created with the CODESYS programming system. The target of the
WebVisu module is to provide the user a graphical opportunity to control the
components which are connected to the controller. Normally the WebVisu, if
deployed, is accessible without authentication.

CODESYS offers the possibility of role based access control (working group 0 to
7). Each object (e.g. button, slider, ...) stores the information which working
group can access, read or change it. After the WebVisu initialization the user
has working group 0 authorization.

In the CODESYS programming system it's possible to create a button which
executes the program "INTERN CHANGEUSERLEVEL", which shows the user a dialog
with the title "Change user level". In the dialog he can select the user level
and must enter a password. If the password is correct the current user level is
set to the new user level.

Through the vulnerability an attacker can extract the password for every user
level without authentication. Hence he can access every functionality, the
developer of the WebVisu has configured.


Proof of concept:
-----------------
Hence WAGO didn't react and the vulnerability was not fixed, no proof of concept
is provided in this advisory.


Vulnerable / tested versions:
-----------------------------
The controller tested was WAGO-Application Controller 750-884.


Vendor contact timeline:
------------------------
2014-05-13: Contacted vendor through info@wago.com, requesting encryption keys
            and attaching responsible disclosure policy (no answer)
2014-06-03: Contacted vendor again through info@wago.com, requesting encryption
            keys and attaching responsible disclosure policy (no answer)
2014-07-10: SEC Consult releases security advisory


Solution:
---------
Hence WAGO didn't react, no solution can be provided. See the workaround section
for a workaround.


Workaround:
-----------
Delete the webvisu.jar file in the plc directory via ftp, telnet or ssh.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF C. Kudera / @2014