Full Report
Exploitation of the vulnerabilities could allow a remote compromise of the managed switch, resulting in disruption of communication and root access to the operating system
Analysis Summary
# Vulnerability: Multiple Critical Flaws in WAGO Industrial Managed Switches
## CVE Details
- **CVE ID:** CVE-2018-1298, CVE-2018-1299
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- **Products:** WAGO Managed Industrial Switches
- **Versions:**
- 852-303 (All versions prior to FW 2.0.0.01)
- 852-1305 (All versions prior to FW 2.0.0.01)
- **Configurations:** Devices with the web-based management interface enabled.
## Vulnerability Description
The vulnerabilities exist within the web server component used for configuration and management of the switches.
- **CVE-2018-1298:** A stack-based buffer overflow flaw that occurs when the system processes specifically crafted HTTP requests. An unauthenticated attacker can send a malicious payload to trigger the overflow.
- **CVE-2018-1299:** A similar memory corruption issue related to how the device handles input parameters in the web interface.
These flaws allow for remote code execution (RCE) with the highest privileges (root) because the web server process runs with administrative rights on the underlying Linux-based operating system.
## Exploitation
- **Status:** PoC available (originally demonstrated by researchers); no widespread exploitation in the wild at the time of initial disclosure.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to system files and traffic)
- **Integrity:** Total (Ability to modify firmware, settings, and communication)
- **Availability:** Total (Ability to brick the device or disrupt all network switching operations)
## Remediation
### Patches
WAGO has released firmware updates to address these vulnerabilities. Users should upgrade to the following or later versions:
- **Firmware Version 2.0.0.01** for both 852-303 and 852-1305 series switches.
### Workarounds
- **Disable Web Management:** If not strictly required for daily operations, disable the HTTP/HTTPS management interface.
- **VLAN Isolation:** Restrict access to the management interface to a dedicated management VLAN with strict ACLs.
- **Firewalling:** Block access to the switches' web ports (80/TCP, 443/TCP) from untrusted networks or the general corporate LAN.
## Detection
- **Indicators of Compromise:** Unexpected reboots of the switch, unauthorized changes to configuration files, or unusual network traffic originating from the switch's IP address.
- **Detection methods:** Use industrial-grade IDS/IPS signatures that scan for malformed HTTP requests targeting WAGO device management ports. Security teams should audit web server logs for suspiciously long strings in URI parameters.
## References
- **WAGO Advisory:** hxxps[://]www[.]wago[.]com/global/support/product-security-advisories
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/06/17/critical-vulnerabilities-in-wago-industrial-switches/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-1298