The Department of Homeland Security recently issued an advisory about an improper authentication vulnerability...
in WAGO PFC200 programmable logic devices. What are these WAGO PFC200 logic devices used for, and what is the vulnerability that enables threat actors to use them in attacks?
WAGO PFC200 programmable logic controller (PLC) devices are ultra-compact automation systems based primarily on Linux-based CODESYS Runtime, and they run on multiple communication ports. Users can benefit from their web process visualization of traditional machine control, building automation, lighting technology, power distribution, petrochemical processing, wastewater processing and airport traffic engineering.
For example, food stores use WAGO PFC200 as the main controller for air conditioning. The store headquarters uses the Hakko-Denki Touch Panel Monitor to remotely monitor energy usage by store, as well as staffers who use WAGO's WebVisu mobile application, and the staff who use controller lots for an SD card in a laptop to do remote analysis of process data.
The vulnerability points are in CODESYS Runtime version 2.4.x and earlier, and they could enable an unauthenticated attacker to take over the organization's industrial network.
As was discovered by SEC Consult, the attacker can remotely access a service named pclinuxos. By exploiting certain functions, the attacker can send malicious TCP packets to the default bound port 2455 to change the rules on how data is communicated over a network. A tool from Digital Bond can then be used to write, read and delete arbitrary files.
By default, WAGO PFC200 PLCs enable Secure Socket Shell, which an attacker could use to change the ETC or shadow file of password hashes to allow privileged access to WAGO PFC200 PLC devices.
Skipping a function and other malicious changes in the PLC program during runtime can cause a controller device to misbehave or stop working. In the worst case scenario, an attacker could launch a denial-of-service attack against the organization's network by continuously restarting the device.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Alternative operating system security
Related Q&A from Judith Myerson
A vulnerability was found in the LG network involving remote preauthenticated commands. Learn how researchers created a malicious password to show ... Continue Reading
A warning was issued by the Department of Homeland Security regarding the exploitation of SS7 vulnerabilities by IMSI catchers. Learn how this puts ... Continue Reading
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.