Full Report
WAGO has fixed multiple vulnerabilities in e!DISPLAY 7300T series HMA devices. Exploitation of these vulnerabilities could enable attackers to execute arbitrary code or overwrite critical files
Analysis Summary
# Vulnerability: Multiple Security Flaws in WAGO e!DISPLAY 7300T HMI Series
## CVE Details
- **CVE ID:** CVE-2018-12977, CVE-2018-12978, CVE-2018-12979
- **CVSS Score:** 9.8 (Critical) - *Aggregated highest score*
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-78 (OS Command Injection)
## Affected Systems
- **Products:** WAGO e!DISPLAY 7300T series Web Panels (HMI)
- **Versions:** All firmware versions prior to FW 03
- **Configurations:** Devices with web-based management interfaces accessible over the network.
## Vulnerability Description
The e!DISPLAY 7300T series suffered from several critical vulnerabilities within its web-based management interface:
1. **Directory Traversal (CVE-2018-12977):** An attacker can bypass security filters to access files outside of the intended directory, potentially exposing sensitive system configuration files.
2. **Unrestricted File Upload (CVE-2018-12978):** The interface allows for the upload of arbitrary files without proper validation. This can be used to place malicious scripts (e.g., web shells) on the device.
3. **OS Command Injection (CVE-2018-12979):** Improper neutralization of special elements in user-supplied input allows an attacker to execute arbitrary system commands via the web interface with elevated privileges.
## Exploitation
- **Status:** Not widely exploited in the wild at the time of reporting; however, the flaws are well-documented.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to sensitive credentials and system files)
- **Integrity:** High (Ability to overwrite critical system files and configuration)
- **Availability:** High (Potential to crash the device or render it inoperable)
## Remediation
### Patches
- **Firmware Update:** WAGO released **Firmware Version 03** (and subsequent versions) to address these vulnerabilities. Users are urged to update to the latest available firmware.
### Workarounds
- **Network Segmentation:** Isolate HMI devices from the public internet and business networks using firewalls/VLANs.
- **Access Control:** Restrict access to the web management interface to authorized IP addresses only.
- **Disable Unused Services:** Disable any management protocols (HTTP/HTTPS) if they are not strictly required for operation.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected files in the `/var/www/` or `/tmp/` directories.
- Unusual entries in web server logs showing `../` sequences in URL requests.
- Outbound connections from the HMI to unknown external IP addresses.
- **Detection methods:** Use Industrial Intrusion Detection Systems (IIDS) to monitor for non-standard HTTP POST requests or command injection patterns targeting the WAGO device management port.
## References
- **WAGO Advisory:** hxxps[://]www[.]wago[.]com/global/support/psirt
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/07/17/multiple-vulnerabilities-fixed-in-wago-operator-panels/
- **VULDB Entry:** hxxps[://]vuldb[.]com/?id[.]121544