Full Report
Kaspersky Lab has discovered a denial-of-service vulnerability in the WAGO 750 controllers.
Analysis Summary
# Vulnerability: WAGO 750 Controllers FTP Service Denial of Service
## CVE Details
- **CVE ID:** CVE-2022-38371
- **CVSS Score:** 7.5 (High) - *Note: While the article's text mentions 0.0, the provided vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) calculates to 7.5.*
- **CWE:** CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products:** WAGO 750 Series Controllers (specifically 750-3x and 750-8x series)
- **Versions:**
- 750-330 (FW13 and before)
- 750-332 (FW10 and before)
- 750-352, 750-852, 750-880, 750-881, 750-882, 750-885, 750-889 (FW14/16 and before)
- 750-362/363/364/365, 750-823, 750-832, 750-862, 750-890/891/893 (FW10 and before)
- 750-829, 750-831 (FW13 and before)
- **Configurations:** Systems where the FTP server is enabled (Port 21/TCP).
## Vulnerability Description
A flaw in the FTP server component of WAGO 750 controllers allows for uncontrolled resource consumption. By sending specifically crafted requests to the FTP service, an attacker can trigger a denial-of-service (DoS) condition. The vulnerability causes the device to become unresponsive, and a complete physical restart of the controller is required to restore normal operations.
## Exploitation
- **Status:** Proof-of-Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Complete device lock-up requiring manual reboot)
## Remediation
### Patches
WAGO has released or scheduled the following firmware versions to address the flaw:
- **FW17 (released Q1/2023):** 750-330, 750-352, 750-829, 750-831, 750-852, 750-880, 750-881, 750-882, 750-885, 750-889.
- **FW11 (released Q1/2023):** 750-362, 750-363, 750-364, 750-365, 750-823, 750-862, 750-890, 750-891, 750-893.
- **FW11 (After BACnet certification):** 750-332, 750-832.
### Workarounds
- **Disable FTP:** If FTP data transfer is not required, deactivate the FTP Server via the Web-Based Management (WBM) interface.
- **Default Config:** Note that for models 750-362 through 750-365 and 750-823/862/890-893, the FTP server is disabled by default.
- **Network Isolation:** Ensure ICS devices are not directly accessible from the internet.
## Detection
- **Indicators of Compromise:** Unresponsive controller, failure of automation logic, and inability to connect via standard management ports following unusual traffic to Port 21.
- **Detection Methods:** Monitor network traffic for anomalous or high-frequency connection attempts to TCP port 21. Use firewalls to log and restrict access to the FTP service to authorized IP addresses only.
## References
- **Vendor Advisory:** hxxps://cert[.]vde[.]com/en/advisories/VDE-2022-047/
- **NVD Entry:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2022-38371
- **Kaspersky ICS CERT:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2022/10/12/klcert-22-046-wago-750-controllers-denial-of-service-of-the-ftp-server/