Full Report
WAGO has closed a critical vulnerability (improper authentication) in its PFC200 Series PLCs.
Analysis Summary
# Vulnerability: Improper Authentication in WAGO PFC200 Series
## CVE Details
- **CVE ID:** CVE-2018-7243
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** WAGO PFC200 Series Programmable Logic Controllers (PLCs)
- **Versions:** Firmware versions prior to 02.08.35(11)
- **Configurations:** Systems with the runtime environment accessible via the network.
## Vulnerability Description
The vulnerability stems from improper authentication in the PLC's runtime environment. Specifically, the device fails to adequately verify the identity of a user or process attempting to access certain communication services. An unauthenticated attacker can connect to the device and execute commands or modify parameters without providing valid credentials.
## Exploitation
- **Status:** Vulnerability is publicly known; PoC was developed by researchers (SEC Consult) to demonstrate the flaw.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Ability to read sensitive device configuration and process data)
- **Integrity:** High (Ability to modify PLC logic, control parameters, and firmware settings)
- **Availability:** High (Potential to cause device crashes or shutdown industrial processes)
## Remediation
### Patches
WAGO has released firmware updates to address this flaw.
- **Solution:** Update PFC200 Series firmware to **FW11 (02.08.35)** or later.
### Workarounds
- **Network Segmentation:** Isolate the PLCs from the public internet and general corporate networks.
- **Access Control Lists (ACLs):** Restrict access to the PLC’s communication ports (e.g., ports related to the Web-Based Management and runtime services) to authorized engineering workstations only.
- **VPN:** Use secure tunnels (VPNs) for any required remote access to the industrial network.
## Detection
- **Indicators of Compromise:** Unusual configuration changes, unexpected device reboots, or unauthorized connections from unknown IP addresses to the PLC's control ports.
- **Detection methods and tools:** Monitoring of industrial network traffic for unauthorized communication with WAGO devices; use of Intrusion Detection Systems (IDS) with signatures for WAGO protocol anomalies.
## References
- **Vendor Advisory:** hxxps[://]www[.]wago[.]com/global/support/product-security-advisories
- **Source Article:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/2018/02/22/critical-vulnerability-in-wago-pfc200-controllers-closed/
- **SEC Consult Advisory:** hxxps[://]sec-consult[.]com/vulnerability-lab/advisory/improper-authentication-vulnerability-in-wago-pfc200/