SEC Consult Vulnerability Lab Security Advisory < 20190612-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: WAGO 852 Industrial Managed Switch Series
 vulnerable version: 852-303: <v1.2.2.S0
                     852-1305: <v1.1.6.S0
                     852-1505: <v1.1.5.S0
      fixed version: 852-303: v1.2.2.S0
                     852-1305: v1.1.6.S0
                     852-1505: v1.1.5.S0
         CVE number: CVE-2019-12550, CVE-2019-12549
             impact: high
           homepage: https://www.wago.com
              found: 2019-03-08
                 by: T. Weber (Office Vienna)
                     IoT Inspector
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"New ideas are the driving force behind our success WAGO is a family-owned
company headquartered in Minden, Germany. Independently operating for three
generations, WAGO is the global leader of spring pressure electrical
interconnect and automation solutions. For more than 60 years, WAGO has
developed and produced innovative products for packaging, transportation,
process, industrial and building automation markets amongst others. Aside from
its innovations in spring pressure connection technology, WAGO has introduced
numerous innovations that have revolutionized industry. Further ground-breaking
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."

Source: http://www.wago.us/wago/



Business recommendation:
------------------------
SEC Consult recommends to immediately apply the available patches
from the vendor. A thorough security review should be performed by
security professionals to identify further potential security issues.


Vulnerability overview/description:
-----------------------------------
The industrial managed switch series 852 from WAGO is affected by multiple
vulnerabilities such as old software components embedded in the firmware.
Furthermore, hardcoded password hashes and credentials were also found by doing
an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and
CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable
firmware runtime. The validity of the password hashes and the embedded keys were
also verified by emulating the device.


1) Known BusyBox Vulnerabilities
The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple
known vulnerabilities. The outdated version was found by IoT Inspector.
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using
the MEDUSA scaleable firmware runtime.

2) Known GNU glibc Vulnerabilities
The used GNU glibc in version 2.8 is outdated and contains multiple known
vulnerabilities. The outdated version was found by IoT Inspector. One of
the discovered vulnerabilities (CVE-2015-0235, "GHOST") was verified by
using the MEDUSA scaleable firmware runtime.

3) Hardcoded Credentials (CVE-2019-12550)
The device contains hardcoded users and passwords which can be used to login
via SSH and Telnet.

4) Embedded Private Keys (CVE-2019-12549)
The device contains hardcoded private keys for the SSH daemon. The fingerprint
of the SSH host key from the corresponding SSH daemon matches to the embedded
private key.


Proof of concept:
-----------------
1) Known BusyBox Vulnerabilities
BusyBox version 1.12.0 contains multiple CVEs like:
CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325,
CVE-2015-9261, CVE-2016-2147 and more.

The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on
an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was created
to trigger the vulnerability.

-------------------------------------------------------------------------------
# ls "pressing <TAB>"
test
]55;test.txt
#
-------------------------------------------------------------------------------


2) Known GNU glibc Vulnerabilities
GNU glibc version 2.8 contains multiple CVEs like:
CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402,
CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more.

The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help
of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled
and executed on the emulated device to test the system.


3) Hardcoded Credentials (CVE-2019-12550)
The following credentials were found in the 'passwd' file of the firmware:
<Password Hash>                                 <Plaintext>         <User>
<removed>                                       <removed>            root
No password is set for the account              [EMPTY PASSWORD]     admin

By using these credentials, it's possible to connect via Telnet and SSH on the
emulated device. Example for Telnet:
-------------------------------------------------------------------------------
[root@localhost ~]# telnet 192.168.0.133
Trying 192.168.0.133...
Connected to 192.168.0.133.
Escape character is '^]'.

L2SWITCH login: root
Password:
~ #
-------------------------------------------------------------------------------
Example for SSH:
-------------------------------------------------------------------------------
[root@localhost ~]# ssh 192.168.0.133
root@192.168.0.133's password:
~ #
-------------------------------------------------------------------------------


4) Embedded Private Keys (CVE-2019-12549)
The following host key fingerprint is shown by accessing the SSH daemon on
the emulated device:

[root@localhost ~]# ssh 192.168.0.133
The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established.
RSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso.
RSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2.

This matches the embedded private key (which has been removed from this advisory):
SSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2


Vulnerable / tested versions:
-----------------------------
According to the vendor, the following versions are affected:
* 852-303: <v1.2.2.S0
* 852-1305: <v1.1.6.S0
* 852-1505: <v1.1.5.S0


Vendor contact timeline:
------------------------
2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation
2019-03-26: Asking for a status update, VDE CERT is still waiting for details
2019-03-28: VDE CERT requests information from WAGO again
2019-04-09: Asking for a status update
2019-04-11: VDE CERT: patched firmware release planned for end of May, requested
            postponement of advisory release
2019-04-16: VDE CERT: update regarding affected firmware versions
2019-04-24: Confirming advisory release for beginning of June
2019-05-20: Asking for a status update
2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date
2019-05-29: Asking for a status update
2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published
            on 7th June, SEC Consult proposes new advisory release date for
            12th June
2019-06-07: VDE CERT provides security advisory information from WAGO;
            WAGO releases security patches
2019-06-12: Coordinated release of security advisory


Solution:
---------
The vendor provides patches to their customers at their download page. The
following versions fix the issues:
* 852-303: v1.2.2.S0
* 852-1305: v1.1.6.S0
* 852-1505: v1.1.5.S0

According to the vendor, busybox and glibc have been updated and the embedded
private keys are being newly generated upon first boot and after a factory reset.
The root login via Telnet and SSH has been disabled and the admin account is
documented and can be changed by the customer.



Workaround:
-----------
Restrict network access to the device & SSH server.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2019