Nmedia - Fotolia
The Department of Homeland Security recently issued an advisory about an improper authentication vulnerability in WAGO PFC200 programmable logic devices. What are these WAGO PFC200 logic devices used for, and what is the vulnerability that enables threat actors to use them in attacks?
WAGO PFC200 programmable logic controller (PLC) devices are ultra-compact automation systems based primarily on Linux-based CODESYS Runtime, and they run on multiple communication ports. Users can benefit from their web process visualization of traditional machine control, building automation, lighting technology, power distribution, petrochemical processing, wastewater processing and airport traffic engineering.
For example, food stores use WAGO PFC200 as the main controller for air conditioning. The store headquarters uses the Hakko-Denki Touch Panel Monitor to remotely monitor energy usage by store, as well as staffers who use WAGO's WebVisu mobile application, and the staff who use controller lots for an SD card in a laptop to do remote analysis of process data.
The vulnerability points are in CODESYS Runtime version 2.4.x and earlier, and they could enable an unauthenticated attacker to take over the organization's industrial network.
As was discovered by SEC Consult, the attacker can remotely access a service named pclinuxos. By exploiting certain functions, the attacker can send malicious TCP packets to the default bound port 2455 to change the rules on how data is communicated over a network. A tool from Digital Bond can then be used to write, read and delete arbitrary files.
By default, WAGO PFC200 PLCs enable Secure Socket Shell, which an attacker could use to change the ETC or shadow file of password hashes to allow privileged access to WAGO PFC200 PLC devices.
Skipping a function and other malicious changes in the PLC program during runtime can cause a controller device to misbehave or stop working. In the worst case scenario, an attacker could launch a denial-of-service attack against the organization's network by continuously restarting the device.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Judith Myerson
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
An Apple vulnerability recently resurfaced and is targeting Apple devices that are connected to public hotspots. Discover what this vulnerability is ... Continue Reading
The use of BGPsec protocols was found after looking into threat actors in China that controlled U.S. internet traffic. Discover how this technique ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.