"Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs"

German industrial automation solutions provider Wago has recently released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities, including ones that can be exploited to take full control of the targeted device.  The vulnerabilities were discovered by Ryan Pickren from the Georgia Institute of Technology’s Cyber-Physical Security Lab.  The issues were identified by Pickren as part of a PhD project on the security of industrial control systems (ICS).  During the analysis of Wago PLCs, Pickren discovered several vulnerabilities in the web-based management interface designed for administering, commissioning, and updating devices.  Two of the flaws have been assigned a critical severity rating.  One of them, a missing authentication issue tracked as CVE-2022-45138, can be exploited by an unauthenticated attacker to read and set some device parameters, which can lead to a full compromise of the controller.  The second critical vulnerability, CVE-2022-45140, allows an unauthenticated attacker to write arbitrary data with root privileges, which can result in arbitrary code execution and a full system compromise.  Pickren noted that of the two medium-severity vulnerabilities found, one can be exploited for cross-site scripting (XSS) attacks, and the other can lead to information disclosure with limited impact.  Pickren stated that these bugs can be chained together and weaponized in two different ways: 1) direct network access (I.e., the adversary is within the ICS or is attacking an Internet-facing device) or 2) Via cross-origin web requests (I.e., the adversary lures somebody within the ICS into viewing their malicious website).  Pickren noted that neither scenario requires any user interaction (besides just visiting the site) or permissions.  The chain is completely unauthenticated.

SecurityWeek reports: "Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs"