The Department of Homeland Security recently issued an advisory about an improper authentication vulnerability...
in WAGO PFC200 programmable logic devices. What are these WAGO PFC200 logic devices used for, and what is the vulnerability that enables threat actors to use them in attacks?
WAGO PFC200 programmable logic controller (PLC) devices are ultra-compact automation systems based primarily on Linux-based CODESYS Runtime, and they run on multiple communication ports. Users can benefit from their web process visualization of traditional machine control, building automation, lighting technology, power distribution, petrochemical processing, wastewater processing and airport traffic engineering.
For example, food stores use WAGO PFC200 as the main controller for air conditioning. The store headquarters uses the Hakko-Denki Touch Panel Monitor to remotely monitor energy usage by store, as well as staffers who use WAGO's WebVisu mobile application, and the staff who use controller lots for an SD card in a laptop to do remote analysis of process data.
The vulnerability points are in CODESYS Runtime version 2.4.x and earlier, and they could enable an unauthenticated attacker to take over the organization's industrial network.
As was discovered by SEC Consult, the attacker can remotely access a service named pclinuxos. By exploiting certain functions, the attacker can send malicious TCP packets to the default bound port 2455 to change the rules on how data is communicated over a network. A tool from Digital Bond can then be used to write, read and delete arbitrary files.
By default, WAGO PFC200 PLCs enable Secure Socket Shell, which an attacker could use to change the ETC or shadow file of password hashes to allow privileged access to WAGO PFC200 PLC devices.
Skipping a function and other malicious changes in the PLC program during runtime can cause a controller device to misbehave or stop working. In the worst case scenario, an attacker could launch a denial-of-service attack against the organization's network by continuously restarting the device.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading